Attacker can drain vault tokens by depositing any amount of corresponding tokens to L2 as there is no checking of amount of deposit added to the bridge by each user.
To test this create an address for the attacker:
address attacker = makeAddr("attacker");
Transfer him some tokens in the setup
token.transfer(address(attacker), 1e8);
Run the below test:
This can cause all the tokens of a vault to be drained as long as the attacker can acquire a small amount of those tokens.
Foundry
Create a mapping of deposits of users
mapping(address account => uint256 deposit) depositOfUsers;
In deposits, update the mapping
depositOfUsers[from] =+ amount;
and require that users cannot withdraw more than what they have deposited
require(amount =< depositOfUsers[account])
depositOfUsers[to] =- amount;
before sending the transfer
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.