First Flight #4: Boss Bridge

First Flight #4

Beginner FriendlyFoundryBridge

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Anyone can trigger the withdrawTokensToL1() function eventhough the depositor do not want to withdraw yet

uint256vieet

Summary

Anyone can trigger the withdrawTokensToL1() function even though the depositor do not want to withdraw yet

Vulnerability Details

function withdrawTokensToL1(address to, uint256 amount, uint8 v, bytes32 r, bytes32 s) external

This is the external function that allow user to withdraw token to L1 if they already deposit same amount to L2 and get verified by the centralized off-chain actor
So for example A deposit 200 DAI to L2 and the event emitted
The off-chain actor will sign the message included:

( abi.encode(

address(token),

0, // value

abi.encodeCall(IERC20.transferFrom, (address(vault), to, amount))

))

and generate 3 piece of their signature: v,r,s

Those piece of signature v,r,s is public to anyone due to the params that withdrawTokensToL1 requires.
So this scenario can happen:
1, Anyone can get v,r,s because those variable are public
2, Anyone also know A deposited 200 DAI to L2 because the event in blockchain are public
3, They just need to add address depositor, amount and combine with v,r,s as params to pass to withdrawTokensToL1
so just by do that they can force withdraw to the user A even though user A do not want to withdraw yet.

Impact

This Vulnerability can lead to many scenario that any one not the depositor can trigger the withdraw behavior of other depositor every time.

Tools Used

Manual

Recommendations

Replace address to with msg.sender to prevent the caller of withdrawTokensToL1 is not the one who deposit to L2.

function withdrawTokensToL1( uint256 amount, uint8 v, bytes32 r, bytes32 s) external {

sendToL1(

abi.encode(

address(token),

0, // value

abi.encodeCall(IERC20.transferFrom, (address(vault), msg.sender, amount))

)

);

}

Updates

Lead Judging Commences

0xnevi Lead Judge

almost 2 years ago

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

withdrawTokensToL1(): No check for deposits amount

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.