ustas
low
StandardBridge allows ETH to be sent to the zero address.
The StandardBridge._initiateBridgeETH() function does not check _to != address(0).
This can lead to a loss of ETH and bad UX.
Manual Review, VSCodium
Add a check to the function.
/**
* @notice Initiates a bridge of ETH through the CrossDomainMessenger.
*
* @param _from Address of the sender.
* @param _to Address of the receiver.
* @param _amount Amount of ETH being bridged.
* @param _minGasLimit Minimum amount of gas that the bridge can be relayed with.
* @param _extraData Extra data to be sent with the transaction. Note that the recipient will
* not be triggered with this data, but it will be emitted and can be used
* to identify the transaction.
*/
function _initiateBridgeETH(
address _from,
address _to,
uint256 _amount,
uint32 _minGasLimit,
bytes memory _extraData
) internal {
require(_to != address(0), "StandardBridge: receiver cannot be zero address");
require(
msg.value == _amount,
"StandardBridge: bridging ETH must include sufficient ETH value"
);
emit ETHBridgeInitiated(_from, _to, _amount, _extraData);
MESSENGER.sendMessage{ value: _amount }(
address(OTHER_BRIDGE),
abi.encodeWithSelector(
this.finalizeBridgeETH.selector,
_from,
_to,
_amount,
_extraData
),
_minGasLimit
);
}