First Flight #4: Boss Bridge

First Flight #4

Beginner FriendlyFoundryBridge

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Only one token usable by L1BossBridge makes the TokenFactory useless and the bridge usable with only one token

Oozman

PoC for `Bridge can only work with one token` vulnerability

Summary

The L1BossBridge contract does not inherit the TokenFactory contract.
The L1BossBridge does not have a vault = new L1Vault(token); function outside of its constructor.

Vulnerability Details

The two missing points mentionned in the summary make it that the bridge is only usable with one token, which address is passed within the constructor upon deployment. This means that there will always be only one token that users will be able to bridge to L2 and withdraw to L1.

The fact that the TokenFactory contract is within the scope shows that this feature was planned into the business logic and has not been implemented into the BossBridge contract.

The two features:

Bridge
Token deployment

work independently. And the new created tokens cannot be implemented into the bridge logic.

Impact

The bridge cannot be used to its full extent. It restricts users to a unique token's holders.

High impact: because there is a severe disruption of protocol functionnality.
High likelyhood: because every user is going to be confronted to the fact that this bridge is useless unless they swap their tokens beforehand in most of the cases.

Tools Used

Forge
Code rewiewing
Solidity Metrics

Recommendations

Add the following import in L1BossBridge.sol

import {IERC20} from "@openzeppelin/contracts/interfaces/IERC20.sol";

import {Ownable} from "@openzeppelin/contracts/access/Ownable.sol";

import {Pausable} from "@openzeppelin/contracts/utils/Pausable.sol";

import {ReentrancyGuard} from "@openzeppelin/contracts/utils/ReentrancyGuard.sol";

import {MessageHashUtils} from "@openzeppelin/contracts/utils/cryptography/MessageHashUtils.sol";

import {ECDSA} from "@openzeppelin/contracts/utils/cryptography/ECDSA.sol";

import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";

+ import {TokenFactory} from "./TokenFactory.sol";

import {L1Vault} from "./L1Vault.sol";

Replace the L1Vault by the TokenFactory deployment in the constructor like so:

- constructor(IERC20 _token) Ownable(msg.sender) {

- token = _token;

- vault = new L1Vault(token);

- // Allows the bridge to move tokens out of the vault to facilitate withdrawals

- vault.approveTo(address(this), type(uint256).max);

- }

+ constructor(address _tokenFactory) Ownable(msg.sender) {

+ tokenFactory = new TokenFactory;

Add a deployToken() function that will create a separate Vault for each one of the tokens deployed and implement the possible use of several tokens into the deposit() and withdrawal() functions.

Updates

Lead Judging Commences

0xnevi Lead Judge

almost 2 years ago

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Other

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.