No storage of user deposit amount on L1 bridge
Summary
The L1BossBridgecontract does not store any deposit made by users which is then the responsibility of the L2 contract not provided here.
Vulnerability Details
When depositTokensToL2 function is used by a user, the amount of token transferred to the vault are not registered in the L1BossBridgecontract.
The contract emits a Depositevent with the details of the transfer done.
it is the the responsibility of the off-chain mechanism or the L2 bridge contract to keep this information.
The documentation indicates that :
Our service will validate the payloads submitted by users, checking that the account submitting the withdrawal has first originated a successful deposit in the L1 part of the bridge
Anyway this is not enough : it is necessary to check also that the withdrawal amount is not bigger that the amount deposited by the user.
Impact
If the token amount deposited on L2 is not checked, the user could withdraw more token than he has deposited
Tools Used
No tools used. It was discovered through manual inspection of the contract.
Recommendations
It would be safer to store the amount of tokens deposited on L1BossBridgecontract by each users and check that amount when withdrawTokensToL1 is called;
Lead Judging Commences
withdrawTokensToL1(): No check for deposits amount
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.