First Flight #4: Boss Bridge

First Flight #4

Beginner FriendlyFoundryBridge

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Centralization Risks and Replay Attack Vulnerability in L1BossBridge

nemius

Summary

The L1BossBridge.sol contract demonstrates significant centralization risks due to owner-centric controls and lacks protections against replay attacks, as it does not use nonces for signature verification.

Vulnerability Details

The contract’s critical functions such as pause, unpause, and setSigner are controlled solely by the owner, which creates a single point of failure and centralization risk. Furthermore, the absence of nonce in the signature verification for withdrawals allows potential replay attacks.

Impact

Centralization risks could lead to a complete halt or unauthorized actions if the owner's account is compromised. Replay attacks could result in unauthorized token transfers, leading to financial loss.

Tools Used

Manual code review and analysis.

Recommendations

Flawed Code in L1BossBridge.sol

function withdrawTokensToL1(address to, uint256 amount, uint8 v, bytes32 r, bytes32 s) external {

// ...

// Signature verification without nonce

address signer = ECDSA.recover(MessageHashUtils.toEthSignedMessageHash(keccak256(abi.encodePacked(to, amount))), v, r, s);

// ...

}

Proposed Code Change

mapping(address => uint256) private nonces;

function withdrawTokensToL1(address to, uint256 amount, uint8 v, bytes32 r, bytes32 s, uint256 nonce) external {

require(nonce == nonces[to], "Invalid nonce"); // Ensure nonce is correct

nonces[to]++; // Increment nonce to prevent replay attacks

// Signature verification with nonce

address signer = ECDSA.recover(MessageHashUtils.toEthSignedMessageHash(keccak256(abi.encodePacked(to, amount, nonce))), v, r, s);

// ...

}

Updates

Lead Judging Commences

0xnevi Lead Judge about 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

withdrawTokensToL1()/sendToL1(): signature replay

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.