Beginner FriendlyFoundryBridge
100 EXP
View results
Submission Details
Severity: high
Valid

Arbitrary 'from' in 'transferFrom' – Unauthorized Access

Summary

In depositTokensToL2 function's use of "transferFrom" with an arbitrary "from" address, potentially granting unauthorized access. It allows an attacker, to exploit user's approval for the contract to spend his tokens. Attacker can call the function and specify user's address as the "from" parameter in "transferFrom", enabling him to transfer user's tokens.

Vulnerability Details

In the smart contract, an attacker can manipulate the "from" address in the depositTokensToL2 function, leading to unauthorized access and the potential transfer of another user's tokens, undermining the security and integrity of the contract's token handling.

Impact

The vulnerability exposes a critical risk of unauthorized token transfers, potentially leading to loss of user funds and a breach of trust in the affected smart contract.

POC

  • Copy the below test function and paste it in L1BossBridgeTest.t.sol

  • now run forge test --match-test testManipulatedFromAddressCanDeposit -vvvv in terminal

  • you will get this result Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 16.16ms

function testManipulatedFromAddressCanDeposit() public {
address attacker = makeAddr("attacker");
vm.startPrank(user);
uint256 amount = 10e18;
token.approve(address(tokenBridge), amount);
vm.stopPrank();
vm.expectEmit(address(tokenBridge));
// Attacker is calling the deposit and using user addy as from
vm.startPrank(attacker);
emit Deposit(user, userInL2, amount);
tokenBridge.depositTokensToL2(user, userInL2, amount);
assertEq(token.balanceOf(address(tokenBridge)), 0);
assertEq(token.balanceOf(address(vault)), amount);
vm.stopPrank();
}

Tools Used

  • Foundry and manual review

Recommendations

Use msg.sender as from in transferFrom.

replace depositTokensToL2 function with below code:

+function depositTokensToL2(address l2Recipient, uint256 amount) external whenNotPaused {
+ if (token.balanceOf(address(vault)) + amount > DEPOSIT_LIMIT) {
+ revert L1BossBridge__DepositLimitReached();
+ }
+ // Use msg.sender as the sender address
+ token.safeTransferFrom(msg.sender, address(vault), amount);
+ // Our off-chain service picks up this event and mints the corresponding tokens on L2
+ emit Deposit(msg.sender, l2Recipient, amount);
}
Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

depositTokensToL2(): abitrary from address

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.