Submission Details
Severity:
Arbitrary `from` address in `L1BossBridge#depositTokensToL2()` method
Summary
If Alice approves her tokens to the token vault contract, anyone can call L1BossBridge#depositTokensToL2() to transfer Alice's tokens to his/her address on Layer 2.
Vulnerability Details
After Alice approving her tokens to the vault contract, an attacker can call L1BossBridge#depositTokensToL2() with from as Alice's address and l2Recipient as attacker's address on Layer 2.
Impact
Attackers can easily steal tokens from anyone who approve his/her tokens to the vault contract.
Tools Used
Manual review.
Recommendations
Check that the from parameter of depositTokensToL2() is the msg.sender or not.
function depositTokensToL2(address from, address l2Recipient, uint256 amount) external whenNotPaused {
if (token.balanceOf(address(vault)) + amount > DEPOSIT_LIMIT) {
revert L1BossBridge__DepositLimitReached();
}
require(from == msg.sender, "Invalid caller");
token.safeTransferFrom(from, address(vault), amount);
// Our off-chain service picks up this event and mints the corresponding tokens on L2
emit Deposit(from, l2Recipient, amount);
}
Updates
Lead Judging Commences
0xnevi almost 2 years ago
Submission Judgement Published Assigned finding tags:
depositTokensToL2(): abitrary from address
Rewards breakdown
nSLOC
99This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.