Submission Details
Severity:
```L1BossBridge::depositTokensToL2()``` isn't nonReentrant
Summary
The depositTokensToL2() function could potentially be vulnerable to reentrancy attacks.
Vulnerability Details
@> function depositTokensToL2(address from, address l2Recipient, uint256 amount) external whenNotPaused {
if (token.balanceOf(address(vault)) + amount > DEPOSIT_LIMIT) {
revert L1BossBridge__DepositLimitReached();
}
token.safeTransferFrom(from, address(vault), amount);
// Our off-chain service picks up this event and mints the corresponding tokens on L2
emit Deposit(from, l2Recipient, amount);
}
Impact
The depositTokensToL2() function could potentially be vulnerable to reentrancy attacks. However, the ReentrancyGuard modifier is not used here. It's worth noting that the safeTransferFrom() function from the OpenZeppelin library is used, which mitigates reentrancy risks. For this reason, the vulnerability is marked as low. However, it's still a good practice to use the nonReentrant modifier for functions that change the state of the contract.
Tools Used
Manual review.
Recommendations
Add the
- function depositTokensToL2(address from, address l2Recipient, uint256 amount) external whenNotPaused {
+ function depositTokensToL2(address from, address l2Recipient, uint256 amount) external nonReentrant whenNotPaused {
if (token.balanceOf(address(vault)) + amount > DEPOSIT_LIMIT) {
revert L1BossBridge__DepositLimitReached();
}
token.safeTransferFrom(from, address(vault), amount);
// Our off-chain service picks up this event and mints the corresponding tokens on L2
emit Deposit(from, l2Recipient, amount);
}
Rewards breakdown
nSLOC
99This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.