During faucet registration (register_faucet in bridge_config.masm), the bridge should verify that the faucet's stored metadata_hash matches keccak256(abi.encode(name, symbol, decimals)) computed from the faucet's actual storage values.
Currently the metadata hash is trusted from the faucet deployer with no on-chain verification. A malicious or misconfigured deployer could set an incorrect hash, causing bridge-out claims to fail on the EVM side.
Prerequisites:
The verification would:
- FPI to the faucet to read name, symbol, decimals
- ABI-encode them in MASM
- Keccak256 the encoded bytes
- FPI to the faucet to read the stored metadata hash
- Assert they match
There is a TODO in bridge_config.masm::register_faucet tracking as of PR #2583
Related: #2453
During faucet registration (
register_faucetinbridge_config.masm), the bridge should verify that the faucet's storedmetadata_hashmatcheskeccak256(abi.encode(name, symbol, decimals))computed from the faucet's actual storage values.Currently the metadata hash is trusted from the faucet deployer with no on-chain verification. A malicious or misconfigured deployer could set an incorrect hash, causing bridge-out claims to fail on the EVM side.
Prerequisites:
abi.encode(string, string, uint8)in MASMThe verification would:
There is a TODO in
bridge_config.masm::register_faucettracking as of PR #2583Related: #2453