Any approved funds can front run and drained to the attackers L2 address.
A malicious actor can monitor events in the mempool and when they see an approval to the Bossbridge contract they can steal all the approved tokens by calling the depositTokensToL2(...) function with themselves as the recipient.
PoC:
High impact. This is a critical issue and will result in anyone who sets an approval to the bridge contract to have a very high risk of having their funds stolen.
Manual review
Foundry integration tests
the simplest way to deal with this issue is to restrict caller to the token owner in the depositTokensToL2(...) function
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.