stake.link

Summary

reSDL are ERC721 token that are transferrable from one address to another and using the reSDLTokenBridge fron one chain to another. This open door for listing of said reSDL tokens for sale on secondary nft marketplaces, and a malicious user could exploit this to sell reSDL with a worse sdlToken value than convenied by taking advantage of sequancer downtime.

Vulnerability Details

Consider this scenario:

• Bob stake 10 sdl and get an reSDL with token id 1 .

• Now he have an asset that is gaining him some rewards, and since this asset is transferrable he decide to list it for sale on a secondary nft marketplace

• He list it for sale on ethereum with thye possibility for someone on arbitrum to buy it and get it delivered to their arbitrum wallet address

• Alice the victim bid for it and buy bob reSDL

• Bob wait for arbitrum sequancer to go down and send the nft to alice on arbitrum using reSDLTokenBridge.transferRESDL()

• Since the sequencer is down the tx will get queued and bob can then withdraw some sdl from the reSDL on ethereum ( for the sake of this scenario let's say 9, which left the reSDL with 1 sdl instead of 10)

• After the sequencer goes up again the tx get through and alice receive the reSDL on arbitrum with 1 sdl in it instead of original 10 sdl.

Impact

see above, due to not checking sequencer uptime, some users can get tricked into buying badly valuated reSDL

Tools Used

Manual review

Recommendations

Check layer 2 sequencer uptime if there are any inside reSDLTokenBridge.transferRESDL()