No refund of excess msg.value in native BNB operations leads to permanent absorption of overpaid funds
_handleWrap uses msg.value >= recipient.amount with no refund mechanism, so any overpayment is permanently absorbed into the bridge's balance and only recoverable via emergencyWithdrawBNB which also drains user collateral.
Description
In _handleWrap for native BNB operations, the balance check uses >=
rather than ==:
require(msg.value >= recipient.amount,"Insufficient native token sent");
If msg.value exceeds the total BNB needed for the operation, the excess
remains in the bridge's balance permanently. There is no refund mechanism
anywhere in the transaction flow. The
totalTransferred != permit.amount check at line 342 validates permit
accounting but does not enforce that msg.value matches the required
amount.
The only way to extract BNB from the bridge is emergencyWithdrawBNB,
which sweeps the entire native balance, including collateral backing
wrapped native tokens. It cannot selectively refund excess BNB without
also removing collateral.
Recommendation
Either enforce an exact match or refund excess BNB at the end of the transaction:
// Option 1: Enforce exact amountrequire(msg.value == recipient.amount,"Incorrect native token amount");// Option 2: Refund excess after operationsuint256 excess = msg.value - totalRequired;if (excess > 0) {_transferNative(msg.sender, excess);}
Resolution
YadaCoin, Confirmed.
Zealynx, Fixed.
