First Flight #4: Boss Bridge

First Flight #4

Beginner FriendlyFoundryBridge

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

depositTokensToL2 function allows stealing of tokens from owners who has approved L1BossBridge contract.

leogold

Summary

Malicious actors can watch when a user approve bossbridge to spend his token and front-run depositTokensToL2 function which transfer the user funds to the address provided by the malicious users on layer1.

Vulnerability Details

depositTokensToL2 gives users the opportunity to determine whose account they want to spend the fund from and whose address they want to witdraw it to on layer2. A user who has given bossbridge allowance but yet to withdraw to layer2 or gave boss bridge infinity allowance will give a malicious user opportunity to steal te useer funds by which he(malicious user) will specify the user address as the from parameter in the depositTokensToL2 function to spend the user token and specify his(malicious user) address as the receiving address on layer2.

Impact

A mev bot or an attacker has the potential of front running all users who have given bossbridge allowance and steal all their funds.

Tools Used

manual review and foundry

POC

function testAttackerCanstealApprovedTokensByOtherUsersAndDEposit() public {

address attacker = makeAddr("attacker");

vm.startPrank(user);

uint256 amount = 10e18;

token.approve(address(tokenBridge), amount);

vm.expectEmit(address(tokenBridge));

emit Deposit(user, attacker, amount);

vm.stopPrank();

//attacker front-run

vm.prank(attacker);

tokenBridge.depositTokensToL2(user, attacker, amount);

assertEq(token.balanceOf(address(tokenBridge)), 0);

assertEq(token.balanceOf(address(vault)), amount);

}

Add the test above to L1TokenBridge.t.sol and run forge t --mt testAttackerCanstealApprovedTokensByOtherUsersAndDEposit -vvvvv

Recommendations

The team should make sure it is only the user who approved the his token to bossbridge is able to deposit it to the contract.

function depositTokensToL2(

- address from,

- token.safeTransferFrom(from, address(vault), amount);

- emit Deposit(from, l2Recipient, amount);

+ token.safeTransferFrom(msg.sender, address(vault), amount);

+ emit Deposit(msg.sender, l2Recipient, amount);

Updates

Lead Judging Commences

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

depositTokensToL2(): abitrary from address

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.