Refund address for cross chain messages

If you use cross chain systems to transfer tokens or for any other user action, you should be carefull with message params. Let's take a look on the next code snippet:

    function _sendMessage(
        address[] memory targets,
        uint256[] memory stakingIncentives,
        bytes memory bridgePayload,
        uint256 transferAmount
    ) internal override returns (uint256 sequence) {
        ...
        // If refundAccount is zero, default to msg.sender
        if (refundAccount == address(0)) {
            refundAccount = msg.sender;
        }
        ...
    }

When the refundAccount is address(0) we default to the msg.sender.

But what if msg.sender is a different contract address? This is what happened in the Olas protocol.

So every time a user sends ETH or tokens to the other chain, any refund will not go to the user, but to the contract from which it was sent!

Finaly, assets will be stucked forever!

Be carefull with cross-chain messages!

Read the full report here:

Link: https://code4rena.com/reports/2024-05-olas#m-19-the-refundaccount-is-erroneously-set-to-msgsender-instead-of-txorigin-when-refundaccount-specified-as-address0