First Flight #4: Boss Bridge
First Flight #4
Beginner FriendlyFoundryBridge
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Locking of funds in vault if allowance is reached

georgishishkov

Summary

The approveTo() function in L1Vault is called only once in the constructor of L1BossBridge. There is no other way to call the function.

Vulnerability Details

During contract creation, the Boss bridge contract is setting an allowance of type(uint256).max for withdrawals from the vault.

Constructor code
constructor(IERC20 _token) Ownable(msg.sender) {
token = _token;
vault = new L1Vault(token);
// Allows the bridge to move tokens out of the vault to facilitate withdrawals
vault.approveTo(address(this), type(uint256).max);
}

While this allowance number is very very large, it is not infinite, and theoretically over time and with large withdrawals it can be reached. There is no other way to increase this allowance. If it is reached, then all funds in the vault will be locked forever.

Also theoretically, an attacker can grief their way to the allowance limit by continuously submitting many deposits and withdrawals with large amounts.

Impact

If this happens, all funds in the vault will be locked. The likelyhood is relative as it depends on which token is used, frequency of withdrawals and other factors. If only L1Token is used, then the likelyhood is extremely low since you will need at least 2^256 / 100 000 = 1.1579209e+72 withdrawals of 100 000 tokens(the limit of the vault).

Tools Used

Manual review

Recommendations

Add a function in L1BossBridge that increases the withdraw allowance from the vault.

Updates

Lead Judging Commences

0xnevi Lead Judge
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.