Last updated: February 06, 2026

SCWE-108: Unverified Cross-Chain Message Proofs

Stable Version v1.0

This content is in the version-(v1.0) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

Relationships

• CWE-345: Insufficient Verification of Data Authenticity
  https://cwe.mitre.org/data/definitions/345.html

Description

Relayers may deliver fabricated payloads if the destination contract does not validate Merkle proofs, light-client headers, or signatures that attest to the message on the source chain. Forged messages can mint wrapped assets or execute arbitrary calls.

Remediation

• Verify message inclusion against a trusted root (Merkle/Patricia proof) or light-client header.
• Validate signatures from authorized validators and enforce quorum thresholds.
• Reject messages that fail proof verification or originate from unrecognized relayers.

Examples

Vulnerable

pragma solidity ^0.8.0;

contract Inbox {
    function deliver(bytes calldata payload) external {
        _process(payload); // assumes relayer is honest
    }
}

Fixed

pragma solidity ^0.8.0;

contract Inbox {
    address[] public validators;
    uint256 public constant QUORUM = 2;

    function deliver(bytes calldata payload, bytes[] calldata sigs) external {
        require(_verifyQuorum(payload, sigs) >= QUORUM, "invalid proof");
        _process(payload);
    }
}