First Flight #4: Boss Bridge
First Flight #4
Beginner FriendlyFoundryBridge
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

`L1BossBridge::from`Used from instead of msg.sender in safeTransferFrom

mujahideth

Summary

The depositTokensToL2function in L1BossBridge has a vulnerability where the from address is not strictly controlled, allowing an attacker to potentially exploit it. An attacker could deploy a malicious contract, call the vulnerable function with a manipulated from address, and execute arbitrary code, leading to financial losses and disruption of the contract's operation.

Vulnerability Details

function depositTokensToL2(address from, address l2Recipient, uint256 amount) external whenNotPaused {
if (token.balanceOf(address(vault)) + amount > DEPOSIT_LIMIT) {
revert L1BossBridge__DepositLimitReached();
}
@> token.safeTransferFrom(from, address(vault), amount);
// Our off-chain service picks up this event and mints the corresponding tokens on L2
emit Deposit(from, l2Recipient, amount);
}

Impact

function a(address from, address to, uint256 amount) public {
erc20.safetransferFrom(from, to, am);
}

Alice approves this contract to spend her ERC20 tokens. Bob can call and specify Alice's address as the from parameter in safetransferFrom, allowing him to transfer Alice's tokens to himself.

Tools Used

  • Slither

  • Foundry

Recommendations

Use msg.sender as from in safetransferFrom.

- token.safeTransferFrom(from, address(vault), amount);
+ token.safeTransferFrom(msg.sender, address(vault), amount);
Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

depositTokensToL2(): abitrary from address

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.