Using of balanceOf() function in depositTokensToL2() can put the contract under the risk of DOS
Summary
In L1BossBridge.sol: depositTokensToL2() there is a check as follows:
which can be manipulated by transferring a large amount of token to the vault to make it always revert.
Vulnerability Details
As stated above using balanceOf(address(vault)) can be very dangerous as the attacker can make the deposit always revert and corrupt the whole protocol functionality,
Adding to this the fact that there is no restrictions on minting new BBT tokens (this is another finding I've submitted) the exploit of this vulnerability becomes feasible.
Impact
This will disables the functionality of the protocol.
Tools Used
manual review
Recommendations
just check that the deposit is not greater than DEPOSIT_LIMIT
Lead Judging Commences
depositTokensToL2(): DoS deposits via DEPOSIT_LIMIT
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.