Skip to content

fix: add check to ensure depositor is a valid EVM address #874

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Feb 4, 2025
Merged

fix: add check to ensure depositor is a valid EVM address #874

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions contracts/SpokePool.sol
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1307,6 +1307,9 @@ abstract contract SpokePool is
**************************************/

function _depositV3(DepositV3Params memory params) internal {
// Verify depositor is a valid EVM address.
params.depositor.checkAddress();

// Check that deposit route is enabled for the input token. There are no checks required for the output token
// which is pulled from the relayer at fill time and passed through this contract atomically to the recipient.
if (!enabledDepositRoutes[params.inputToken.toAddress()][params.destinationChainId]) revert DisabledRoute();
Expand Down
10 changes: 7 additions & 3 deletions contracts/libraries/AddressConverters.sol
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,15 +8,19 @@ library Bytes32ToAddress {
error InvalidBytes32();

function toAddress(bytes32 _bytes32) internal pure returns (address) {
if (uint256(_bytes32) >> 160 != 0) {
revert InvalidBytes32();
}
checkAddress(_bytes32);
return address(uint160(uint256(_bytes32)));
}

function toAddressUnchecked(bytes32 _bytes32) internal pure returns (address) {
return address(uint160(uint256(_bytes32)));
}

function checkAddress(bytes32 _bytes32) internal pure {
if (uint256(_bytes32) >> 160 != 0) {
revert InvalidBytes32();
}
}
}

library AddressToBytes32 {
Expand Down
9 changes: 9 additions & 0 deletions test/evm/hardhat/SpokePool.Deposit.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -853,6 +853,15 @@ describe("SpokePool Depositor Logic", async function () {
const functionCalldata = spokePool.interface.encodeFunctionData("deposit", [...depositArgs]);
await expect(spokePool.connect(depositor).callback(functionCalldata)).to.be.reverted;
});
it("depositor must be valid evm address", async function () {
const functionCalldata = spokePool.interface.encodeFunctionData("deposit", [
...getDepositArgsFromRelayData({
...relayData,
depositor: "0x044852b2a670ade5407e78fb2863c51de9fcb96542a07186fe3aeda6bb8a116d",
}),
]);
await expect(spokePool.connect(depositor).callback(functionCalldata)).to.be.reverted;
});
it("unsafe deposit ID", async function () {
// new deposit ID should be the uint256 equivalent of the keccak256 hash of packed {msg.sender, depositor, forcedDepositId}.
const forcedDepositId = "99";
Expand Down
Loading