Submission Details
Severity:
L1BossBridge Contract allows for zero amount to be bridged out.
Summary
It's possible for users to bridge zero funds out of the contract.
Vulnerability Details
This does not pose any security threat, but it's logical that there is a check put in place to ensure that a value is been sent out. This could also help prevent gas wastage by users when the user unintentionally sends a 0 value.
POC
function testUserCanDepositTokens() public {
vm.startPrank(user);
uint256 amount = 0;
token.approve(address(tokenBridge), amount);
vm.expectEmit(address(tokenBridge));
emit Deposit(user, userInL2, amount);
tokenBridge.depositTokensToL2(user, userInL2, amount);
assertEq(token.balanceOf(address(tokenBridge)), 0);
assertEq(token.balanceOf(address(vault)), amount);
vm.stopPrank();
}
As seen above, the amount was set to zero. However, the test still passes.
Impact
No security threat.
Tools Used
Manual Review
Recommendations
Consider adding a check to the deposit function which makes sure the amount which will be passed is greater than zero. For example:
require(amount > 0, "No Value passed");
Rewards breakdown
nSLOC
99This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.