F-2024-0007·missing-validation

Deposit function lacks whitelisted token check

Acknowledgedbridgenearrainbow-bridgegithub.com/Near-One/rainbow-token-connector
TL;DR

The deposit function in BridgeTokenFactory does not call _checkWhitelistedToken, allowing any token to be deposited regardless of whitelist status.

Severity
INFO
Impact
LOW
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description

Description

The deposit function in the BridgeTokenFactory contract allows users to deposit tokens from the NEAR blockchain to the Ethereum blockchain. However, it has been identified that the function does not include a check to verify if the token being deposited is whitelisted.

03Section · Impact

Impact

Without a whitelisted token check, the deposit function allows the deposit of any token, regardless of its whitelisting status. This means that potentially malicious, unauthorized, or untrusted tokens can be deposited into the contract, compromising the integrity and security of the bridge ecosystem.

Even though proof is submitted through relayer, it is recommended to have this check on each chain.

04Section · Recommendation

Recommendation

Modify the deposit function to include a call to the _checkWhitelistedToken function before allowing the deposit of tokens.

05Section · Resolution

Resolution

Acknowledged.

ZEALYNX SECURITY · published 2024-06-03
F-2024-0007

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx