Due to lack of nonce use an attacker can use the same signature multiple times to drain the contract of its tokens through the sendToL1(...)
function.
The sendToL1(...)
function does not keep track of nonces for operator signed messages. That means that the signatures can be re-used over and over to withdraw funds from the bridge.
Loss of all tokens in the bridge contract
Test:
Logs:
Manual review
Foundry
Enforce nonce verification for operator signed messages that get incremented upon valid withdrawal.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.