Withdrawal approval mechanism L2->L1 leads to locking of funds in L2
Summary
An effect of the bridge L2 -> L1 withdrawal approval policy is that if a user gets a hold of the amount of token in L2, they can not bridge those tokens to L1, unless they have already bridged them L1 -> L2.
Vulnerability Details
Lets look at the policy specified in the Readme.md:
https://github.com/Cyfrin/2023-11-Boss-Bridge/#on-withdrawals
The bridge operator is in charge of signing withdrawal requests submitted by users. These will be submitted on the L2 component of the bridge, not included here. Our service will validate the payloads submitted by users, checking that the account submitting the withdrawal has first originated a successful deposit in the L1 part of the bridge.
An example scenario: user_1 bridges 10 BBT from L1 -> L2, then swaps them in a swap pool for another token, say 10 custom_token. user_2, who already has ownership of 10 custom_token, decides to swap them for 10 BBT in that same swap pool.
As a result user_2 will have ownership of those BBT in L2, but will not be able to withdraw them to L1, because the policy requires user_2 to have deposited tokens L1->L2.
Impact
Tokens become locked in L2.
Tools Used
Manual Review.
Recommendations
Remove this requirement. A user that has ownership of tokens in L2 should be able to bridge them to L1, regardless of previous activity.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.