Fix Immunefi Report #31869 (#174)

ringecosystem · Jun 3, 2024 · cadfae4 · cadfae4
1 parent ed758a0
commit cadfae4
Show file tree

Hide file tree

Showing 7 changed files with 11 additions and 17 deletions.
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@msgport/ormp",
-  "version": "2.0.0",
+  "version": "2.1.0",
   "description": "Oracle and Relayer based Message Protocol",
   "repository": "https://github.com/msgport/ORMP",
   "author": "Msgport dev",

diff --git a/src/ORMP.sol b/src/ORMP.sol
@@ -30,7 +30,7 @@ contract ORMP is ReentrancyGuard, Channel {
     constructor(address dao) Channel(dao) {}
 
     function version() public pure returns (string memory) {
-        return "2.0.0";
+        return "2.1.0";
     }
 
     /// @dev Send a cross-chain message over the endpoint.
@@ -92,6 +92,7 @@ contract ORMP is ReentrancyGuard, Channel {
         emit MessageAssigned(msgHash, uc.oracle, uc.relayer, oracleFee, relayerFee, params);
 
         // refund
+        require(msg.value >= relayerFee + oracleFee, "!fee");
         if (msg.value > relayerFee + oracleFee) {
             uint256 refundFee = msg.value - (relayerFee + oracleFee);
             _sendValue(refund, refundFee);
@@ -141,7 +142,6 @@ contract ORMP is ReentrancyGuard, Channel {
     /// @return dispatchResult Result of the message dispatch.
     function recv(Message calldata message, bytes calldata proof)
         external
-        payable
         recvNonReentrant
         returns (bool dispatchResult)
     {
@@ -158,10 +158,7 @@ contract ORMP is ReentrancyGuard, Channel {
         require(gasAvailable - gasAvailable / 64 > message.gasLimit, "!gas");
         // Deliver the message to user application contract address.
         (dispatchResult,) = message.to.excessivelySafeCall(
-            message.gasLimit,
-            msg.value,
-            0,
-            abi.encodePacked(message.encoded, msgHash, message.fromChainId, message.from)
+            message.gasLimit, 0, 0, abi.encodePacked(message.encoded, msgHash, message.fromChainId, message.from)
         );
     }
 

diff --git a/src/eco/Oracle.sol b/src/eco/Oracle.sol
@@ -36,7 +36,7 @@ contract Oracle is Verifier {
     receive() external payable {}
 
     function version() public pure returns (string memory) {
-        return "2.0.0";
+        return "2.1.0";
     }
 
     /// @dev Only could be called by owner.

diff --git a/src/eco/Relayer.sol b/src/eco/Relayer.sol
@@ -43,7 +43,7 @@ contract Relayer {
     }
 
     function version() public pure returns (string memory) {
-        return "2.0.0";
+        return "2.1.0";
     }
 
     receive() external payable {}

diff --git a/tron/ORMP.f.sol b/tron/ORMP.f.sol
@@ -409,7 +409,7 @@ contract ORMP is ReentrancyGuard, Channel {
     constructor(address dao) Channel(dao) {}
 
     function version() public pure returns (string memory) {
-        return "2.0.0";
+        return "2.1.0";
     }
 
     /// @dev Send a cross-chain message over the endpoint.
@@ -471,6 +471,7 @@ contract ORMP is ReentrancyGuard, Channel {
         emit MessageAssigned(msgHash, uc.oracle, uc.relayer, oracleFee, relayerFee, params);
 
         // refund
+        require(msg.value >= relayerFee + oracleFee, "!fee");
         if (msg.value > relayerFee + oracleFee) {
             uint256 refundFee = msg.value - (relayerFee + oracleFee);
             _sendValue(refund, refundFee);
@@ -520,7 +521,6 @@ contract ORMP is ReentrancyGuard, Channel {
     /// @return dispatchResult Result of the message dispatch.
     function recv(Message calldata message, bytes calldata proof)
         external
-        payable
         recvNonReentrant
         returns (bool dispatchResult)
     {
@@ -537,10 +537,7 @@ contract ORMP is ReentrancyGuard, Channel {
         require(gasAvailable - gasAvailable / 64 > message.gasLimit, "!gas");
         // Deliver the message to user application contract address.
         (dispatchResult,) = message.to.excessivelySafeCall(
-            message.gasLimit,
-            msg.value,
-            0,
-            abi.encodePacked(message.encoded, msgHash, message.fromChainId, message.from)
+            message.gasLimit, 0, 0, abi.encodePacked(message.encoded, msgHash, message.fromChainId, message.from)
         );
     }
 

diff --git a/tron/Oracle.f.sol b/tron/Oracle.f.sol
@@ -164,7 +164,7 @@ contract Oracle is Verifier {
     receive() external payable {}
 
     function version() public pure returns (string memory) {
-        return "2.0.0";
+        return "2.1.0";
     }
 
     /// @dev Only could be called by owner.

diff --git a/tron/Relayer.f.sol b/tron/Relayer.f.sol
@@ -143,7 +143,7 @@ contract Relayer {
     }
 
     function version() public pure returns (string memory) {
-        return "2.0.0";
+        return "2.1.0";
     }
 
     receive() external payable {}