First Flight #4: Boss Bridge
First Flight #4
Beginner FriendlyFoundryBridge
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Tokens of other users can be deposited in vault L1BossBridge::depositTokensToL2

TheCodingCanuck

Summary

In L1BossBridge.sol users can call depositTokensToL2 with the from parameters as the address of an arbitrary user.

Vulnerability Details

An attacker can exploit this by sending L1 tokens from another user to himself on L2.

Impact

The impact is high since an attacker can listen to users approving the L1Token. He then has a window to call depositTokensToL2 before the said users. It is therefore possible for the attacker to amass a considerable sum on L2.

Since the protocol can be paused, this is not as bad as it could be.

Tools Used

1- Slither static analyzer
2- Forge tests

Recommendations

A simple solution is to remove the from parameter and use msg.sender instead.

function depositTokensToL2(address l2Recipient, uint256 amount) external whenNotPaused {
if (token.balanceOf(address(vault)) + amount > DEPOSIT_LIMIT) {
revert L1BossBridge__DepositLimitReached();
}
token.safeTransferFrom(msg.sender, address(vault), amount);
emit Deposit(msg.sender, l2Recipient, amount);
}
Updates

Lead Judging Commences

0xnevi Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

depositTokensToL2(): abitrary from address

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.