Submission Details
Severity:
```L1BossBridge.depositTokensToL2()``` uses arbitrary ```from``` in ```safeTransferFrom()```
Summary
L1BossBridge.depositTokensToL2() uses arbitrary from in safeTransferFrom(). The User approves the L1BossBridge contract to spend her/his tokens. FakeUser can call depositTokensToL2() and specify User address as the from parameter in safeTransferFrom(), allowing him/her to transfer Users tokens to himself/herself L2 account. In this way FakeUser steals the User tokens.
Vulnerability Details
@> function depositTokensToL2(address from, address l2Recipient, uint256 amount) external whenNotPaused {
if (token.balanceOf(address(vault)) + amount > DEPOSIT_LIMIT) {
revert L1BossBridge__DepositLimitReached();
}
@> token.safeTransferFrom(from, address(vault), amount);
emit Deposit(from, l2Recipient, amount);
}
Impact
//Fake User can steal tokens from User by calling depositTokensToL2 with User as from
function testFakeUserCanDepositUserTokensAndStealTokens() public {
vm.startPrank(user);
uint256 amount = 10e18;
token.approve(address(tokenBridge), amount);
vm.startPrank(fakeUser);
vm.expectEmit(address(tokenBridge));
emit Deposit(user, fakeUserInL2, amount);
tokenBridge.depositTokensToL2(user, fakeUserInL2, amount);
assertEq(token.balanceOf(address(tokenBridge)), 0);
assertEq(token.balanceOf(address(vault)), amount);
vm.stopPrank();
}
Tools Used
Slither
Recommendations
Use msg.sender instead of from.
function depositTokensToL2(address from, address l2Recipient, uint256 amount) external whenNotPaused {
if (token.balanceOf(address(vault)) + amount > DEPOSIT_LIMIT) {
revert L1BossBridge__DepositLimitReached();
}
- token.safeTransferFrom(from, address(vault), amount);
+ token.safeTransferFrom(msg.sender, address(vault), amount);
emit Deposit(from, l2Recipient, amount);
}
Updates
Lead Judging Commences
0xnevi almost 2 years ago
Submission Judgement Published Assigned finding tags:
depositTokensToL2(): abitrary from address
Rewards breakdown
nSLOC
99This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.