fix(cctp): prevent self-sender in postDispatch (#8519)

yorhodes · web-flow · commit ac297dac9cb3 · 2026-04-06T18:02:55.000Z
diff --git a/.changeset/cctp-postdispatch-sender-check.md b/.changeset/cctp-postdispatch-sender-check.md
@@ -0,0 +1,5 @@
+---
+'@hyperlane-xyz/core': minor
+---
+
+Added a sender check in CctpBase._postDispatch to prevent misuse when called via transferRemote.
diff --git a/solidity/contracts/token/TokenBridgeCctpBase.sol b/solidity/contracts/token/TokenBridgeCctpBase.sol
@@ -66,6 +66,7 @@ abstract contract TokenBridgeCctpBase is
     error InvalidMintAmount();
     error InvalidMintRecipient();
     error InvalidMessageId();
+    error InvalidPostDispatchSender();
 
     uint256 private constant _SCALE = 1;
 
@@ -345,6 +346,13 @@ abstract contract TokenBridgeCctpBase is
         bytes calldata metadata,
         bytes calldata message
     ) internal override {
+        // Prevent backrunning transferRemote with postDispatch for the same message.
+        // transferRemote dispatches with sender == address(this). If an attacker
+        // backruns it with postDispatch, a second Circle "hook" message is created
+        // that can set isVerified[messageId] = true on the destination without
+        // executing the Circle mint, permanently stranding the user's burned funds.
+        if (message.senderAddress() == address(this))
+            revert InvalidPostDispatchSender();
         bytes32 id = message.id();
         if (!_isLatestDispatched(id)) revert MessageNotDispatched();
 
diff --git a/solidity/test/token/TokenBridgeCctp.t.sol b/solidity/test/token/TokenBridgeCctp.t.sol
@@ -792,6 +792,23 @@ contract TokenBridgeCctpV1Test is Test {
         tbOrigin.postDispatch(bytes(""), message);
     }
 
+    function test_postDispatch_revertsWhen_senderIsThis(
+        bytes32 recipient,
+        bytes calldata body
+    ) public {
+        bytes memory message = Message.formatMessage(
+            3,
+            0,
+            origin,
+            address(tbOrigin).addressToBytes32(),
+            destination,
+            recipient,
+            body
+        );
+        vm.expectRevert(TokenBridgeCctpBase.InvalidPostDispatchSender.selector);
+        tbOrigin.postDispatch(bytes(""), message);
+    }
+
     function test_hookType() public {
         assertEq(tbOrigin.hookType(), uint8(IPostDispatchHook.HookTypes.CCTP));
     }

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@hyperlane-xyz/core': minor
 +---
++
 +Added a sender check in CctpBase._postDispatch to prevent misuse when called via transferRemote.