LibTeleport Manual Review Findings

LTT-01M: Inexistent Guarantee of Uniqueness

Type	Severity	Location
Input Sanitization		LibTeleport.sol:L39-L40

Description:

The LibTeleport::updateTeleportSenders function does not adequately sanitize its input arguments, permitting the same chain ID to be specified in two different TeleportSender entries and thus permitting the teleportAddressByChainId entry to be overwritten and the same chain ID to exist twice in the supportedChainIds array.

Impact:

The impact of this exhibit is that the MPProviderFacet::supportedChainsCount function will yield an incorrect value which does not appear to be used in any sensitive capacity. As such, we consider this exhibit to be of minor severity.

Example:

Copy
26/// @notice Sets the teleports' addresses on all supported chains
27function updateTeleportSenders(IUtility.TeleportSender[] calldata senders_) internal {
28    LibTeleport.Storage storage ts = teleportStorage();
29    // reset teleportAddressByChainId
30    for (uint256 i = 0; i < ts.supportedChainIds.length; ) {
31        delete ts.teleportAddressByChainId[ts.supportedChainIds[i]];
32        unchecked {
33            i += 1;
34        }
35    }
36    // reset supportedChainIds
37    delete ts.supportedChainIds;
38    for (uint256 i = 0; i < senders_.length; ) {
39        ts.teleportAddressByChainId[senders_[i].chainId] = senders_[i].senderAddress;
40        ts.supportedChainIds.push(senders_[i].chainId);
41        unchecked {
42            i += 1;
43        }
44    }
45}

Recommendation:

We advise uniqueness to be guaranteed, either by using an EnumerableSet by OpenZeppelin or by ensuring that the teleportAddressByChainId of each new entry is 0 before assignment.

Alleviation (54fd570de24631ca65a7cea022aebe43225a08c7):

Uniqueness is now validated by ensuring that the teleportAddressByChainId entry is zero before assigning a value to it, addressing this exhibit.