Malicious operator(s) can drain the Vault
Summary
The risk assumptions of the bridge are such that it is under the control of the L1BossBridge contract owner.
We are aware the bridge is centralized and owned by a single user, aka it is centralized.
The language used implies a distinction between signers and the owner, portraying signers as external users or operators. This is further reinforced by the contract's authorization mechanism.
Signer: Users who can "send" a token from L2 -> L1.
Consequently, our observations reveal a vulnerability wherein malicious signers possess the ability to siphon funds not originally deposited by them
Vulnerability Details
Any user that has been added as a signer by the contract's owner is able to forge a valid signature and authorize a withdrawal to an arbitrary to address. A rogue or compromised signer could drain the funds held in the vault contract and send them to a wallet under their control.
Impact
Rogue signer can drain funds from the contract.
Tools Used
VSCode
Recommendations
The withdrawal mechanism back to L1 should implement a checking mechanism in which:
Only a User that has deposited tokens is able to withdraw up to
The recipient of the withdrawal request should match the original depositor's address
Lead Judging Commences
withdrawTokensToL1(): No check for deposits amount
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.