From 503511a89fef2ce25743e013ff116df9e290ebc1 Mon Sep 17 00:00:00 2001
From: jeff <113397187+cyberhorsey@users.noreply.github.com>
Date: Fri, 14 Jun 2024 18:32:26 -0700
Subject: [PATCH] fix(relayer): bounds check for erc20 + nft data (#17601)

---
 packages/relayer/indexer/save_event_to_db.go |  2 +-
 packages/relayer/types.go                    | 30 ++++++++++++++++++--
 2 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/packages/relayer/indexer/save_event_to_db.go b/packages/relayer/indexer/save_event_to_db.go
index 0c15c0c57dc..674c0df0567 100644
--- a/packages/relayer/indexer/save_event_to_db.go
+++ b/packages/relayer/indexer/save_event_to_db.go
@@ -23,7 +23,7 @@ func (i *Indexer) saveEventToDB(
 ) (int, error) {
 	eventType, canonicalToken, amount, err := relayer.DecodeMessageData(eventData, eventValue)
 	if err != nil {
-		return 0, errors.Wrap(err, "eventTypeAmountAndCanonicalTokenFromEvent(event)")
+		return 0, errors.Wrap(err, "relayer.DecodeMessageData")
 	}
 
 	// check if we have an existing event already. this is mostly likely only true
diff --git a/packages/relayer/types.go b/packages/relayer/types.go
index 83a1532ca66..1110c9d2aed 100644
--- a/packages/relayer/types.go
+++ b/packages/relayer/types.go
@@ -155,7 +155,20 @@ func decodeDataAsERC20(decodedData []byte) (CanonicalToken, *big.Int, error) {
 		return token, big.NewInt(0), errors.New("data for BigInt is invalid")
 	}
 
-	canonicalTokenData := decodedData[offset.Int64()+canonicalTokenDataStartingindex*32:]
+	// Calculate the starting index for canonicalTokenData
+	startIndex := offset.Int64() + canonicalTokenDataStartingindex*32
+
+	// Boundary check
+	if startIndex >= int64(len(decodedData)) {
+		slog.Warn("startIndex greater than decodedData length",
+			"startIndex", startIndex,
+			"lenDecodedData", int64(len(decodedData)),
+		)
+
+		return token, big.NewInt(0), errors.New("calculated index is out of bounds")
+	}
+
+	canonicalTokenData := decodedData[startIndex:]
 
 	types := []string{"uint64", "address", "uint8", "string", "string"}
 	values, err := decodeABI(types, canonicalTokenData)
@@ -190,7 +203,20 @@ func decodeDataAsNFT(decodedData []byte) (EventType, CanonicalToken, *big.Int, e
 		return EventTypeSendETH, token, big.NewInt(0), errors.New("data for BigInt is invalid")
 	}
 
-	canonicalTokenData := decodedData[offset.Int64()+canonicalTokenDataStartingindex*32:]
+	// Calculate the starting index for canonicalTokenData
+	startIndex := offset.Int64() + canonicalTokenDataStartingindex*32
+
+	// Boundary check
+	if startIndex >= int64(len(decodedData)) {
+		slog.Warn("startIndex greater than decodedData length",
+			"startIndex", startIndex,
+			"lenDecodedData", int64(len(decodedData)),
+		)
+
+		return EventTypeSendETH, token, big.NewInt(0), errors.New("calculated index is out of bounds")
+	}
+
+	canonicalTokenData := decodedData[startIndex:]
 
 	types := []string{"uint64", "address", "string", "string"}
 	values, err := decodeABI(types, canonicalTokenData)