First Flight #4: Boss Bridge

First Flight #4

Beginner FriendlyFoundryBridge

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Unlimited Approval from L1Vault to L1BossBridge in Constructor

0xepley

Summary

The constructor of the L1BossBridge contract sets an unlimited approval amount from the L1Vault to the L1BossBridge. This poses a substantial risk if the bridge contract is compromised, enabling an attacker to drain the vault.

Vulnerability Details

The constructor uses vault.approveTo(address(this), type(uint256).max) granting the bridge contract unrestricted access to the vault's funds. This is hazardous as it centralizes trust in the bridge's security.

Impact

Potential Total Fund Drain: If the bridge contract is exploited, the attacker could transfer all the funds from the vault.

Increased Attack Incentives: Knowing the bridge has unlimited access might attract more attackers.

Tools Used

Manual Review

Recommendations

Limit Approval Amounts: Change the approval strategy to a more controlled limit based on expected usage.

Updates

Lead Judging Commences

0xnevi Lead Judge

almost 2 years ago

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Too generic

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.