Submission Details
Severity:
L1BossBridge.sol - withdrawTokensToL1 - Should not use `to` but `msg.sender`
Summary
A malicious actor could keep calling withdrawTokensToL1 when other users are depositing funds as soon as the deposit amount in available on L2
making the user not able to access their funds on L2 and the bridge useless / spammed
Vulnerability Details
withdrawTokensToL1 should use "msg.sender" instead of "to" making the function safer and cheaper in gas
Impact
Bridge could be spammed by transaction that the operator will have to sign even if the user didn't request them.
User won't be able to access their funds on L2
Tools Used
Manual
Recommendations
Use msg.sender instead of "address to"
- function withdrawTokensToL1(address to, uint256 amount, uint8 v, bytes32 r, bytes32 s) external {
+ function withdrawTokensToL1(uint256 amount, uint8 v, bytes32 r, bytes32 s) external {
sendToL1(
v,
r,
s,
abi.encode(
address(token),
0, // value
- abi.encodeCall(IERC20.transferFrom, (address(vault), to, amount)) // @note use safe call instead
+ abi.encodeCall(IERC20.transferFrom, (address(vault), msg.sender, amount)) // @note use safe call instead
)
);
}
Rewards breakdown
nSLOC
99This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.