Submission Details
Severity:
`L1Sender::sendDepositToken` does not check if msg.value is enough to cover the cost
Fund can be lost if the L1 call value provided is insufficient to cover maxSubmissionCost_.
OutboundTransfer in L1Sender does not check if the call value is sufficient.
Vulnerability Details
function sendDepositToken(
uint256 gasLimit_,
uint256 maxFeePerGas_,
uint256 maxSubmissionCost_
) external payable onlyDistribution returns (bytes memory) {
DepositTokenConfig storage config = depositTokenConfig;
// @audit-ok check if it's well stETH and not Weth in mock and script
// Get current stETH balance
uint256 amountUnwrappedToken_ = IERC20(unwrappedDepositToken).balanceOf(address(this));
// Wrap all stETH to wstETH
uint256 amount_ = IWStETH(config.token).wrap(amountUnwrappedToken_);
// encode the maxvalue to execute the transaction on the L2 (arbitrum)
bytes memory data_ = abi.encode(maxSubmissionCost_, "");
// @audit-ok L - where goes the overflow of msg.value ? --> vuln report in Distribution::claim()
// @audit-info
// transfer wstETH trouh arbitrum gateway =)
return
IGatewayRouter(config.gateway).outboundTransfer{value: msg.value}(
config.token,
config.receiver,
amount_,
gasLimit_,
maxFeePerGas_,
data_
);
}
Recommendations
Add check similar to the one used in L1GatewayRouter provided by Arbitrum team
https://github.com/OffchainLabs/arbitrum/blob/b8366005a697000dda1f57a78a7bdb2313db8fe2/packages/arb-bridge-peripherals/contracts/tokenbridge/ethereum/gateway/L1GatewayRouter.sol#L236
uint256 expectedEth = _maxSubmissionCost + (_maxGas * _gasPriceBid);
require(_maxSubmissionCost > 0, "NO_SUBMISSION_COST");
require(msg.value == expectedEth, "WRONG_ETH_VALUE");
Updates
Prize pool breakdown
Total prize
22,500 USDC
nSLOC
1,05421 USDC / LOC
20,000 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.