The function L1BossBridge::depositTokensToL2
accept as param an arbitrary address and it use this address inside safeTransferFrom instead of using msg.sender.
The function L1BossBridge::depositTokensToL2
accepts the from
address as a parameter.
The from
address is used inside the safeTransferFrom
function to move the amount of tokens from the from
address to the vault, and after that the L2 will move the funds to the l2Recipient
address.
An attacker can insert as from
an address of another user and steal funds.
Here a test to verify the attack:
An attacker can steal funds to another user that have approved a amount greater than the amount he had transferred.
Manual check + Foundry test
It is better use msg.sender
and not an arbitrary from
address in transferFrom.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.