Summary

The L1BossBridge Solidity smart contract exhibits a potential Denial of Service (DoS) vulnerability in its depositTokensToL2 function. The issue arises due to the use of a fixed DEPOSIT_LIMIT, which, once reached, prevents further deposits without any mechanism to adjust or reset this limit based on withdrawals.

Vulnerability Details

The contract sets a fixed DEPOSIT_LIMIT for the total amount of tokens that can be deposited. The contract does not account for withdrawals in adjusting this limit, potentially leading to a situation where no further deposits can be made once the limit is reached.

Consider this:

Deposit tokens repeatedly until the sum of tokens in the vault reaches DEPOSIT_LIMIT.

Attempt another deposit; it will fail due to the limit being reached.

Even if tokens are withdrawn, further deposits are not possible as the limit does not adjust.

Impact

This vulnerability can lead to a permanent halt of the deposit function, rendering a crucial part of the contract's functionality unusable. It can be exploited to lock the deposit feature, affecting the liquidity and functionality of the bridge.

Tools Used

Manual Review

Recommendations

Dynamic Limit Adjustment: Implement a mechanism that dynamically adjusts the DEPOSIT_LIMIT based on withdrawals. This can be achieved by maintaining a separate state variable tracking the total deposited amount.