Check invalid receiver in FTF Pool (#1087)

* add empty receiver check

* add wrappers

* add check for all zero receiver in ccipSendToken

* update wrappers

* update wrappers

* refactor: remove loop and evaluate for 2 words + rename: hasNonZero to isNonZero

* remove       ifiszero(isNonZero) + add fuzz test

* update test

* change fuzz test to achieve higher input space coverage

Author: 0xsuryansh

chains/evm/.gas-snapshot

@@ -1,10 +1,10 @@
 BurnFromMintTokenPool_lockOrBurn:test_constructor() (gas: 23404)
 BurnFromMintTokenPool_lockOrBurn:test_lockOrBurn() (gas: 245510)
 BurnMintFastTransferTokenPool_ccipReceive:test_ccipReceive_SlowFilled() (gas: 131739)
-BurnMintFastTransferTokenPool_ccipSendToken:test_ccipSendToken_Success() (gas: 130360)
-BurnMintFastTransferTokenPool_ccipSendToken:test_ccipSendToken_WithERC20FeeToken() (gas: 175290)
-BurnMintFastTransferTokenPool_validateSendRequest:test_validateSendRequest_Success() (gas: 31246)
-BurnMintFastTransferTokenPool_validateSendRequest:test_validateSendRequest_WithAllowlistedSender() (gas: 5666863)
+BurnMintFastTransferTokenPool_ccipSendToken:test_ccipSendToken_Success() (gas: 130544)
+BurnMintFastTransferTokenPool_ccipSendToken:test_ccipSendToken_WithERC20FeeToken() (gas: 175658)
+BurnMintFastTransferTokenPool_validateSendRequest:test_validateSendRequest_Success() (gas: 31430)
+BurnMintFastTransferTokenPool_validateSendRequest:test_validateSendRequest_WithAllowlistedSender() (gas: 5693920)
 BurnMintFastTransferTokenPool_validateSettlement:test_validateSettlement_Success() (gas: 116622)
 BurnMintFastTransferTokenPool_withdrawPoolFees_Test:test_withdrawPoolFees() (gas: 221755)
 BurnMintFastTransferTokenPool_withdrawPoolFees_Test:test_withdrawPoolFees_BothGasAnd() (gas: 285225)
@@ -90,16 +90,17 @@ FastTransferTokenPool_ccipReceive_Test:test_ccipReceive_SlowFill() (gas: 95467)
 FastTransferTokenPool_ccipReceive_Test:test_ccipReceive_SlowFill_WithPoolFee() (gas: 155881)
 FastTransferTokenPool_ccipReceive_Test:test_ccipReceive_WithDifferentDecimals() (gas: 94122)
 FastTransferTokenPool_ccipReceive_Test:test_ccipReceive_ZeroFastTransferFeeBps() (gas: 95480)
-FastTransferTokenPool_ccipSendToken_Test:test_ccipSendToken_APTOS_WithSettlementGas() (gas: 500582)
-FastTransferTokenPool_ccipSendToken_Test:test_ccipSendToken_APTOS_WithZeroSettlementGas() (gas: 587945)
-FastTransferTokenPool_ccipSendToken_Test:test_ccipSendToken_EqualFeeSplit() (gas: 73264)
-FastTransferTokenPool_ccipSendToken_Test:test_ccipSendToken_FeeQuote_WithPoolFee() (gas: 72784)
-FastTransferTokenPool_ccipSendToken_Test:test_ccipSendToken_FeeValidation_Success_WhenFeeEqualsLimit() (gas: 108966)
-FastTransferTokenPool_ccipSendToken_Test:test_ccipSendToken_FeeValidation_Success_WhenFeeWithinLimit() (gas: 108804)
-FastTransferTokenPool_ccipSendToken_Test:test_ccipSendToken_NativeFee() (gas: 129238)
-FastTransferTokenPool_ccipSendToken_Test:test_ccipSendToken_NativeFee_ToSVM() (gas: 170062)
-FastTransferTokenPool_ccipSendToken_Test:test_ccipSendToken_WithERC20FeeToken() (gas: 149985)
-FastTransferTokenPool_ccipSendToken_Test:test_ccipSendToken_WithPoolFee() (gas: 156575)
+FastTransferTokenPool_ccipSendToken_Test:test_ccipSendToken_APTOS_WithSettlementGas() (gas: 500814)
+FastTransferTokenPool_ccipSendToken_Test:test_ccipSendToken_APTOS_WithZeroSettlementGas() (gas: 588199)
+FastTransferTokenPool_ccipSendToken_Test:test_ccipSendToken_EqualFeeSplit() (gas: 73470)
+FastTransferTokenPool_ccipSendToken_Test:test_ccipSendToken_FeeQuote_WithPoolFee() (gas: 72990)
+FastTransferTokenPool_ccipSendToken_Test:test_ccipSendToken_FeeValidation_Success_WhenFeeEqualsLimit() (gas: 109194)
+FastTransferTokenPool_ccipSendToken_Test:test_ccipSendToken_FeeValidation_Success_WhenFeeWithinLimit() (gas: 109032)
+FastTransferTokenPool_ccipSendToken_Test:test_ccipSendToken_NativeFee() (gas: 129426)
+FastTransferTokenPool_ccipSendToken_Test:test_ccipSendToken_NativeFee_ToSVM() (gas: 170294)
+FastTransferTokenPool_ccipSendToken_Test:test_ccipSendToken_ValidReceiver(uint8,bytes32,bytes32) (runs: 256, μ: 135011, ~: 134445)
+FastTransferTokenPool_ccipSendToken_Test:test_ccipSendToken_WithERC20FeeToken() (gas: 150441)
+FastTransferTokenPool_ccipSendToken_Test:test_ccipSendToken_WithPoolFee() (gas: 156803)
 FastTransferTokenPool_constructor:test_Constructor() (gas: 23117)
 FastTransferTokenPool_constructor:test_GetAllowListedFillers() (gas: 16885)
 FastTransferTokenPool_constructor:test_GetDestChainConfig() (gas: 35757)
@@ -109,8 +110,8 @@ FastTransferTokenPool_fastFill_Test:test_FastFill() (gas: 96770)
 FastTransferTokenPool_fastFill_Test:test_FastFill_AllowlistDisabled() (gas: 287166)
 FastTransferTokenPool_fastFill_Test:test_FastFill_MultipleFillers() (gas: 359042)
 FastTransferTokenPool_fastFill_Test:test_FastFill_WithDifferentDecimals() (gas: 100800)
-FastTransferTokenPool_getCcipSendTokenFee_Test:test_GetCcipSendTokenFee() (gas: 37997)
-FastTransferTokenPool_getCcipSendTokenFee_Test:test_GetCcipSendTokenFee_WithNativeFeeToken() (gas: 35877)
+FastTransferTokenPool_getCcipSendTokenFee_Test:test_GetCcipSendTokenFee() (gas: 38181)
+FastTransferTokenPool_getCcipSendTokenFee_Test:test_GetCcipSendTokenFee_WithNativeFeeToken() (gas: 36061)
 FastTransferTokenPool_supportsInterface:test_supportsInterface() (gas: 11851)
 FastTransferTokenPool_updateDestChainConfig:test_updateDestChainConfig() (gas: 131236)
 FastTransferTokenPool_updateDestChainConfig:test_updateDestChainConfig_MaxFastFee() (gas: 124283)

chains/evm/contracts/pools/FastTransferTokenPoolAbstract.sol

@@ -41,6 +41,7 @@ abstract contract FastTransferTokenPoolAbstract is TokenPool, CCIPReceiver, ITyp
   error TransferAmountExceedsMaxFillAmount(uint64 remoteChainSelector, uint256 amount);
   error InsufficientPoolFees(uint256 requested, uint256 available);
   error QuoteFeeExceedsUserMaxLimit(uint256 quoteFee, uint256 maxFastTransferFee);
+  error InvalidReceiver(bytes receiver);
 
   event DestChainConfigUpdated(
     uint64 indexed destinationChainSelector,
@@ -230,7 +231,7 @@ abstract contract FastTransferTokenPoolAbstract is TokenPool, CCIPReceiver, ITyp
     address settlementFeeToken,
     bytes calldata
   ) internal view virtual returns (InternalQuote memory internalQuote, Client.EVM2AnyMessage memory message) {
-    _validateSendRequest(destinationChainSelector);
+    _validateSendRequest(destinationChainSelector, receiver);
 
     // Using storage here appears to be cheaper.
     DestChainConfig storage destChainConfig = s_fastTransferDestChainConfig[destinationChainSelector];
@@ -380,14 +381,46 @@ abstract contract FastTransferTokenPoolAbstract is TokenPool, CCIPReceiver, ITyp
   /// @notice Validates the send request parameters. Can be overridden by derived contracts to add additional checks.
   /// @param destinationChainSelector The destination chain selector.
   /// @dev Checks if the destination chain is allowed, if the sender is allowed, and if the RMN curse applies.
-  function _validateSendRequest(
-    uint64 destinationChainSelector
-  ) internal view virtual {
+  function _validateSendRequest(uint64 destinationChainSelector, bytes calldata receiver) internal view virtual {
+    _validateReceiver(receiver);
+
     if (IRMN(i_rmnProxy).isCursed(bytes16(uint128(destinationChainSelector)))) revert CursedByRMN();
     _checkAllowList(msg.sender);
     if (!isSupportedChain(destinationChainSelector)) revert ChainNotAllowed(destinationChainSelector);
   }
 
+  /// @notice Validates receiver address parameters.
+  /// @dev Checks length bounds (0 < length ≤ 64) and ensures receiver is not all zeros.
+  /// @param receiver The receiver address to validate.
+  function _validateReceiver(
+    bytes calldata receiver
+  ) internal pure {
+    uint256 receiverLength = receiver.length;
+    if (receiverLength == 0 || receiverLength > 64) {
+      revert InvalidReceiver(receiver);
+    }
+
+    // Check if receiver is all zeros by scanning at most 2 32-byte words
+    bool isNonZero = false;
+    assembly {
+      let dataPtr := receiver.offset
+      // Load and check first 32 bytes
+      if calldataload(dataPtr) { isNonZero := 1 }
+
+      if gt(receiverLength, 32) {
+        // Load and check second 32 bytes only if receiver length > 32
+        // Note: dataPtr + 32 may exceed the actual receiver data bounds (e.g., for 40-byte receiver,
+        // this reads bytes [32, 64) where [40, 64) is out-of-bounds). However, this is safe because
+        // calldata is ABI-encoded with zero-padding to 32-byte boundaries, so out-of-bounds bytes are zeros.
+        if calldataload(add(dataPtr, 32)) { isNonZero := 1 }
+      }
+    }
+
+    if (!isNonZero) {
+      revert InvalidReceiver(receiver);
+    }
+  }
+
   /// @notice Validates settlement prerequisites. Can be overridden by derived contracts to add additional checks.
   /// @param sourceChainSelector The source chain selector.
   /// @param sourcePoolAddress The source pool address.

chains/evm/contracts/test/pools/FastTransferTokenPool/FastTransferTokenPool.ccipSendToken.t.sol

@@ -337,6 +337,53 @@ contract FastTransferTokenPool_ccipSendToken_Test is FastTransferTokenPoolSetup
     assertEq(s_token.balanceOf(OWNER), balanceBefore - SOURCE_AMOUNT);
   }
 
+  function test_ccipSendToken_RevertWhen_ReceiverIsEmptyBytes() public {
+    // Setup: Empty receiver address
+    bytes memory emptyReceiver = "";
+
+    vm.expectRevert(abi.encodeWithSelector(FastTransferTokenPoolAbstract.InvalidReceiver.selector, emptyReceiver));
+    s_pool.ccipSendToken{value: 1 ether}(DEST_CHAIN_SELECTOR, SOURCE_AMOUNT, 1 ether, emptyReceiver, address(0), "");
+  }
+
+  function test_ccipSendToken_RevertWhen_ReceiverExceedsMaxLength() public {
+    // Setup: Receiver longer than 64 bytes (65 bytes)
+    bytes memory oversizedReceiver = new bytes(65);
+    // Fill with non-zero data to ensure it's not rejected for being all zeros
+    for (uint256 i = 0; i < 65; i++) {
+      oversizedReceiver[i] = bytes1(uint8(i + 1));
+    }
+
+    vm.expectRevert(abi.encodeWithSelector(FastTransferTokenPoolAbstract.InvalidReceiver.selector, oversizedReceiver));
+    s_pool.ccipSendToken{value: 1 ether}(DEST_CHAIN_SELECTOR, SOURCE_AMOUNT, 1 ether, oversizedReceiver, address(0), "");
+  }
+
+  function test_ccipSendToken_RevertWhen_ReceiverIsAllZeros() public {
+    // Setup: 20-byte receiver address filled with zeros (typical Ethereum address length)
+    bytes memory zeroReceiver20 = new bytes(20);
+    // bytes constructor already initializes to zeros
+
+    vm.expectRevert(abi.encodeWithSelector(FastTransferTokenPoolAbstract.InvalidReceiver.selector, zeroReceiver20));
+    s_pool.ccipSendToken{value: 1 ether}(DEST_CHAIN_SELECTOR, SOURCE_AMOUNT, 1 ether, zeroReceiver20, address(0), "");
+
+    // Setup: 32-byte receiver address filled with zeros (one full word)
+    bytes memory zeroReceiver32 = new bytes(32);
+
+    vm.expectRevert(abi.encodeWithSelector(FastTransferTokenPoolAbstract.InvalidReceiver.selector, zeroReceiver32));
+    s_pool.ccipSendToken{value: 1 ether}(DEST_CHAIN_SELECTOR, SOURCE_AMOUNT, 1 ether, zeroReceiver32, address(0), "");
+
+    // Setup: 40-byte receiver address filled with zeros
+    bytes memory zeroReceiver40 = new bytes(40);
+
+    vm.expectRevert(abi.encodeWithSelector(FastTransferTokenPoolAbstract.InvalidReceiver.selector, zeroReceiver40));
+    s_pool.ccipSendToken{value: 1 ether}(DEST_CHAIN_SELECTOR, SOURCE_AMOUNT, 1 ether, zeroReceiver40, address(0), "");
+
+    // Setup: 64-byte receiver address filled with zeros (maximum allowed length)
+    bytes memory zeroReceiver64 = new bytes(64);
+
+    vm.expectRevert(abi.encodeWithSelector(FastTransferTokenPoolAbstract.InvalidReceiver.selector, zeroReceiver64));
+    s_pool.ccipSendToken{value: 1 ether}(DEST_CHAIN_SELECTOR, SOURCE_AMOUNT, 1 ether, zeroReceiver64, address(0), "");
+  }
+
   function test_ccipSendToken_RevertWhen_FeeExceedsUserMaxLimit() public {
     // Setup: Calculate expected fee and set max limit lower
     uint256 expectedFee = (SOURCE_AMOUNT * FAST_FEE_FILLER_BPS) / 10_000; // 1% of 100 ether = 1 ether
@@ -511,4 +558,30 @@ contract FastTransferTokenPool_ccipSendToken_Test is FastTransferTokenPoolSetup
 
     vm.startPrank(OWNER);
   }
+
+  // This test achieves higher input space coverage than setting 1 non-zero byte at random index
+  function test_ccipSendToken_ValidReceiver(uint8 receiverLength, bytes32 receiverHead, bytes32 receiverTail) public {
+    receiverLength = uint8(bound(receiverLength, 1, 64));
+    // Combine the 2 halves into bytes of length 64
+    bytes memory validReceiver = abi.encodePacked(receiverHead, receiverTail);
+    // Set bytes array length to target receiver length
+    assembly {
+      mstore(validReceiver, receiverLength)
+    }
+
+    // Throw out all-zero receiver
+    vm.assume(keccak256(validReceiver) != keccak256(new bytes(receiverLength)));
+
+    TestParams memory params = TestParams({
+      chainSelector: DEST_CHAIN_SELECTOR,
+      fastFeeBpsExpected: FAST_FEE_FILLER_BPS,
+      amount: SOURCE_AMOUNT,
+      mockMessageId: keccak256("mockMessageId"),
+      receiver: validReceiver
+    });
+    bytes memory extraArgs = Client._argsToBytes(
+      Client.GenericExtraArgsV2({gasLimit: SETTLEMENT_GAS_OVERHEAD, allowOutOfOrderExecution: true})
+    );
+    _executeTest(params, extraArgs);
+  }
 }

chains/evm/gobindings/generated/latest/fast_transfer_token_pool/fast_transfer_token_pool.go

@@ -11,7 +11,7 @@ cctp_message_transmitter_proxy: ../solc/ccip/CCTPMessageTransmitterProxy/CCTPMes
 don_id_claimer: ../solc/ccip/DonIDClaimer/DonIDClaimer.sol/DonIDClaimer.abi.json ../solc/ccip/DonIDClaimer/DonIDClaimer.sol/DonIDClaimer.bin 2ef6cba2f8e258c9d6f2dd55f8d2fc59ae5f686af609ed7d298e8ae9c3923448
 ether_sender_receiver: ../solc/ccip/EtherSenderReceiver/EtherSenderReceiver.sol/EtherSenderReceiver.abi.json ../solc/ccip/EtherSenderReceiver/EtherSenderReceiver.sol/EtherSenderReceiver.bin c862bb4e4aec2f889fae514872f1f287cc2bcdc2870e9134ffa3bdfd806ffb67
 factory_burn_mint_erc20: ../solc/ccip/FactoryBurnMintERC20/FactoryBurnMintERC20.sol/FactoryBurnMintERC20.abi.json ../solc/ccip/FactoryBurnMintERC20/FactoryBurnMintERC20.sol/FactoryBurnMintERC20.bin 5c4d7396a6fb8fd5087d28e15c64785426609670beb681547e7f924fb32c5f14
-fast_transfer_token_pool: ../solc/ccip/BurnMintFastTransferTokenPool/BurnMintFastTransferTokenPool.sol/BurnMintFastTransferTokenPool.abi.json ../solc/ccip/BurnMintFastTransferTokenPool/BurnMintFastTransferTokenPool.sol/BurnMintFastTransferTokenPool.bin 4dbe97fdc6e9977304c33239c448a6c2b3d62a85f106b232acdf5132ebd46c92
+fast_transfer_token_pool: ../solc/ccip/BurnMintFastTransferTokenPool/BurnMintFastTransferTokenPool.sol/BurnMintFastTransferTokenPool.abi.json ../solc/ccip/BurnMintFastTransferTokenPool/BurnMintFastTransferTokenPool.sol/BurnMintFastTransferTokenPool.bin 589df528573ce855f562236e5be48b71143ecb99214d6dc0b48c284ba300e157
 fee_quoter: ../solc/ccip/FeeQuoter/FeeQuoter.sol/FeeQuoter.abi.json ../solc/ccip/FeeQuoter/FeeQuoter.sol/FeeQuoter.bin 9c5997da2f7d38a98b2acba22146fa73f964139b29fae4996be708f34a4e9878
 hybrid_lock_release_usdc_token_pool: ../solc/ccip/HybridLockReleaseUSDCTokenPool/HybridLockReleaseUSDCTokenPool.sol/HybridLockReleaseUSDCTokenPool.abi.json ../solc/ccip/HybridLockReleaseUSDCTokenPool/HybridLockReleaseUSDCTokenPool.sol/HybridLockReleaseUSDCTokenPool.bin 914ea0b94e07a336e993f16422f5039f76db7c1949832f3fb29c4b69aabbd1ba
 lock_release_token_pool: ../solc/ccip/LockReleaseTokenPool/LockReleaseTokenPool.sol/LockReleaseTokenPool.abi.json ../solc/ccip/LockReleaseTokenPool/LockReleaseTokenPool.sol/LockReleaseTokenPool.bin a7db62ec9955f99c077f7746dd2a4fe327f474d8f72ece9833e15525e7b182ed

chains/evm/gobindings/generation/generated-wrapper-dependency-versions-do-not-edit.txt

@@ -10,7 +10,7 @@ echo " └───────────────────────
 # as specified in the foundry.toml.
 OPTIMIZE_RUNS_OFFRAMP=800
 OPTIMIZE_RUNS_FEE_QUOTER=8000
-OPTIMIZE_RUNS_BURN_MINT_FAST_TRASNFER_TOKEN_POOL=8000
+OPTIMIZE_RUNS_BURN_MINT_FAST_TRASNFER_TOKEN_POOL=5000
 PROJECT="ccip"
 FOUNDRY_PROJECT_SUFFIX="-compile"
 export FOUNDRY_PROFILE="$PROJECT"$FOUNDRY_PROJECT_SUFFIX