Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(contracts): check for sufficient msgValue for AggregationHook #4673

Merged
merged 8 commits into from
Oct 29, 2024
Merged

fix(contracts): check for sufficient msgValue for AggregationHook #4673

merged 8 commits into from
Oct 29, 2024

Conversation

aroralanuk
Copy link
Contributor

@aroralanuk aroralanuk commented Oct 12, 2024
edited
Loading

Description

  • fixes misuse of aggregation hook funds for relaying messages by making sure msg.value is adequate and refunding if excess.

Drive-by changes

  • None

Related issues

Backward compatibility

No, needs new deployments of aggregationHooks

Testing

Unit

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Oct 12, 2024
edited
Loading

🦋 Changeset detected

Latest commit: b42b871

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 9 packages
Name Type
@hyperlane-xyz/core Minor
@hyperlane-xyz/helloworld Patch
@hyperlane-xyz/sdk Patch
@hyperlane-xyz/infra Patch
@hyperlane-xyz/cli Patch
@hyperlane-xyz/widgets Patch
@hyperlane-xyz/ccip-server Patch
@hyperlane-xyz/github-proxy Patch
@hyperlane-xyz/utils Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@codecov Codecov
Copy link

codecov bot commented Oct 12, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 80.00000% with 1 line in your changes missing coverage. Please review.

Please upload report for BASE (audit-q3-2024@3e2f9e3). Learn more about missing BASE report.

Additional details and impacted files 
@@               Coverage Diff                @@
##             audit-q3-2024    #4673   +/-   ##
================================================
  Coverage                 ?   73.77%           
================================================
  Files                    ?      100           
  Lines                    ?     1434           
  Branches                 ?      187           
================================================
  Hits                     ?     1058           
  Misses                   ?      355           
  Partials                 ?       21
Components Coverage Δ
core 84.61% <0.00%> (?)
hooks 75.81% <0.00%> (?)
isms 77.58% <0.00%> (?)
token 89.54% <0.00%> (?)
middlewares 77.39% <0.00%> (?)

yorhodes
yorhodes approved these changes Oct 24, 2024
View reviewed changes
Copy link
Member

@yorhodes yorhodes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you rename gasRemaining to valueRemaining before merging?

solidity/contracts/hooks/aggregation/StaticAggregationHook.sol Outdated
}

if (gasRemaining > 0) {
payable(metadata.refundAddress(msg.sender)).sendValue(gasRemaining);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
payable(metadata.refundAddress(msg.sender)).sendValue(gasRemaining);
payable(metadata.refundAddress(message.sender())).sendValue(gasRemaining);

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you did not make this change...

@yorhodes yorhodes mentioned this pull request Oct 24, 2024
Closed
yorhodes
yorhodes requested changes Oct 24, 2024
View reviewed changes
Copy link
Member

@yorhodes yorhodes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also add a changeset please

@aroralanuk aroralanuk changed the base branch from main to audit-q3-2024 October 24, 2024 15:44
@aroralanuk
valueRemaining
edb3049
@aroralanuk
docs(changeset): Fixed misuse of aggregation hook funds for relaying …
5a52f0b 
…messages by making sure msg.value is adequate and refunding if excess.
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 24, 2024
View reviewed changes
solidity/contracts/hooks/aggregation/StaticAggregationHook.sol
@@ -32,16 +44,29 @@
) internal override {
address[] memory _hooks = hooks(message);
uint256 count = _hooks.length;
uint256 valueRemaining = msg.value;

Check notice

Code scanning / Olympix Integrated Security

Local variables in test functions are not properly fuzzed, potentially reducing the effectiveness of property-based testing. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/unfuzzed-local-variables Low

Local variables in test functions are not properly fuzzed, potentially reducing the effectiveness of property-based testing. For more information, visit: http://detectors.olympixdevsectools.com/article/web3-vulnerability/unfuzzed-local-variables
@aroralanuk aroralanuk enabled auto-merge (squash) October 29, 2024 15:13
@aroralanuk aroralanuk merged commit a51b288 into audit-q3-2024 Oct 29, 2024
30 checks passed
@aroralanuk aroralanuk deleted the kunal/agg-hook-check-msgValue branch October 29, 2024 15:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yorhodes yorhodes yorhodes approved these changes

@tkporter tkporter Awaiting requested review from tkporter tkporter is a code owner

@ltyu ltyu Awaiting requested review from ltyu ltyu is a code owner

Assignees
No one assigned
Labels
None yet
Projects
Hyperlane Tasks
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aroralanuk @yorhodes