Title: Absence of Deadline, ChainID, and Nonce in withdrawTokensToL1 Function
Summary
The withdrawTokensToL1 function in the L1BossBridge contract lacks critical security parameters: deadline (expiry time) for signatures, chain ID, and nonce. This omission poses a risk of replay attacks and signature misuse across different blockchain networks and within the same network.
Vulnerability Details
In cross-chain transactions, signatures should be tightly bound to a specific blockchain (using chain ID) and be valid only for a limited time (deadline). Additionally, each transaction should have a unique identifier (nonce) to prevent replays. The current implementation misses these parameters, leaving the function vulnerable.
Impact
Cross-Chain Replay Attacks: Without a chain ID, a valid signature on one chain can potentially be reused maliciously on another chain.
Replay Attacks Within the Same Chain: Absence of a nonce allows the reuse of a signature for the same transaction multiple times.
Indefinite Signature Validity: Without a deadline, signatures remain valid indefinitely, increasing the risk of misuse or replay.
Tools Used
Manual Code Review
Recommendations
Include Chain ID: Modify the signature scheme to include the chain ID. This ensures that the signature is valid only on the intended chain.
Implement Nonce System: Maintain a nonce for each account, incrementing it with each transaction, and include it in the signature.
Add Deadline Parameter: Introduce a timestamp or block number as a deadline within the signature parameters.
Lead Judging Commences
withdrawTokensToL1()/sendToL1(): signature replay
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.