Vault Token balance has potential of causing DOS when users are trying to lock Funds on layer1.
Summary
The Token in Vault can be potentially stucked which can lead to a DOS for users who want to deposit on one layer to withdraw on another layer.
Vulnerability Details
The logic in depositTokensToL2 function checks that the vault won't exceed 100_000 ether for a successful deposit to occur, but the total ampunt of token in circulation is 1_000_000 ether which means there is possibility than a holder of the token can randomly send huge amount to the token to vault to halt deposit function.
Impact
Users will be unable to depositToken on the affected chain and they won't be able to move their token to the desired chain which renders the protocol useless to users at that point in time.
The impact is medium because the likelihood of locking fund forever is low as an operator can sign a transaction to reduce the balance of the vault.
Tools Used
Manual Review.
Recommendations
The BossBridge Team can declare a state variable that holds the total deposit made by users from bossbridge and check against the state variable during deposit to be sure it does not exceed 100_000 ether , then add and deduct for a successful deposit and withdrawal respectively.
Lead Judging Commences
depositTokensToL2(): DoS deposits via DEPOSIT_LIMIT
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.