First Flight #4: Boss Bridge

First Flight #4

Beginner FriendlyFoundryBridge

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Unauthorized Token Deposit Exploit in `L1BossBridge` Smart Contract

codelock

Summary

The issue demonstrate a scenario where an unauthorized user attempts to deposit tokens on behalf of another user, exploiting the vulnerability identified in the depositTokensToL2 function. This could lead to unintended token transfers and poses a significant security risk.

Vulnerability Details

The vulnerability allows an attacker to bypass authorization checks by manipulating the from parameter in the depositTokensToL2 function. The attacker attempts to deposit tokens on behalf of user without proper authorization, highlighting the potential for unauthorized token transfers.

Proof of Concept

function testUnauthorizedDepositTokens() public {

uint256 amount = 5e18;

// Approve the bridge to move tokens from another user

token.approve(address(tokenBridge), amount);

// Attempt to deposit tokens on behalf of another user

tokenBridge.depositTokensToL2(userA, userB, amount);

// Ensure that the unauthorized deposit did not occur

assertEq(token.balanceOf(address(tokenBridge)), 0);

assertEq(token.balanceOf(address(vault)), 0);

}

Impact

The impact of this vulnerability is severe, as it allows unauthorized users to deposit tokens on behalf of others, potentially leading to financial losses, disruptions in token flow, and unauthorized access to the deposit functionality. This undermines the security and integrity of the token deposit process.

Tools Used

Manual review
Slither
Foundry

Recommendations

Implement Robust Authorization Checks: Enhance the depositTokensToL2 function to include robust authorization checks, ensuring that only the legitimate token owners can initiate deposits. Utilize msg.sender instead of from to accurately identify the caller.

- function depositTokensToL2(address from, address l2Recipient, uint256 amount) external whenNotPaused {

+ function depositTokensToL2(address l2Recipient, uint256 amount) external whenNotPaused {

if (token.balanceOf(address(vault)) + amount > DEPOSIT_LIMIT) {

revert L1BossBridge__DepositLimitReached();

}

- token.safeTransferFrom(from, address(vault), amount);

+ token.safeTransferFrom(msg.sender, address(vault), amount);

// Our off-chain service picks up this event and mints the corresponding tokens on L2

emit Deposit(msg.sender, l2Recipient, amount);

}

Updates

Lead Judging Commences

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

depositTokensToL2(): abitrary from address

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.