Mandatory native permit check bypassable with zero value
The native-permit existence check only validates structural presence in the permits array, so a no-op permit with zero value, zero amount, and no recipients satisfies the check and bypasses the mandatory BNB payment intent.
Description
The pre-flight validation loop in _executePermits requires a native BNB
permit (token == address(0)) to exist in the permits array:
// Bridge.sol lines 222-240for (uint256 i = 0; i < ectx.permits.length; i++) {PermitData memory permit = ectx.permits[i];if (permit.token == address(0)) {hasNativeTransfer = true;}// ...}if (!hasNativeTransfer) revert MissingPermit();
However, this check only validates the structural presence of a native permit in the array, it does not enforce:
msg.value > 0permit.amount > 0- That the permit has any recipients
Since registerKeyPairWithTransfer is payable, it accepts msg.value = 0.
A caller can satisfy the mandatory native permit check with a no-op entry:
{token: address(0),amount: 0,deadline: 0,v: 0,r: 0,s: 0,recipients: []}
The strict accounting check (totalTransferred != permit.amount) passes
because 0 == 0.
If the intent was to force every transaction to include a BNB payment, this does not achieve it, users can bypass it with a zero-amount native permit.
Recommendation
If BNB payment is mandatory, add an explicit msg.value floor:
if (!hasNativeTransfer) revert MissingPermit();require(msg.value > 0, "Native BNB payment required");
Resolution
YadaCoin, Confirmed.
Zealynx, Fixed.
