First Flight #4: Boss Bridge

Summary

The deployToken function does not use create2 for token deployment, which can lead to potential loss of funds or unexpected behavior when interacting with tokens across different chains.

Vulnerability Details

The deployToken function deploys a new token contract using the create opcode. However, it does not utilize the create2 opcode, which can result in issues when interacting with tokens across different chains. Specifically, if an owner makes a transaction on one chain but not on another, the nonce of the owner can be modified, leading to a mismatch of the none during the contract creation, addresses won’t match between the chains. This can result in the loss of funds or unexpected behavior when interacting with the tokens. Especially if the event emitted is used to create Token on the other chain.

Impact

The vulnerability can have several potential impacts, including:

• Loss of funds: If an owner deploys a token contract on one chain but the corresponding other is deployed later or there is a transaction in more on the other chain, the token contract's address will differ between the chains. This can lead to users sending tokens to an address that does not match on a specific chain, resulting in a loss of funds.

• Unexpected behavior: If an owner deploys a token contract on one chain but not on another, the token contract's address can differ between the chains. This can lead to unexpected behavior when interacting with tokens across different chains, potentially causing confusion and financial losses.

Tools Used

Manual review

Recommendations

To address this vulnerability, it is recommended to use the create2 opcode for token deployment instead of create. create2 allows for deterministic contract creation, ensuring that the contract address is the same across different chains thanks to a salt. By using create2, the potential for mismatched contract addresses and the associated risks can be mitigated.