User could lost his MOR tokens on L2
Summary
User could lost his reward in MOR tokens on L2, if on L2 chain there is contract, that could not work with tokens
Vulnerability Details
There are several cases, when user could not have access to address on other chain or on other chain there is another contract with different code, which could not work (transfer) tokens.
For example. on L1 user work with contracts using multisig, but on L2 on this address already deployed other contracts.
User on L1 stake his tokens, after sometimes call claim() and could not receive his tokens on L2, because they will be minted to the same address on L2.
Impact
User call claim function -> on L2 contract L2MessageReceiver mint tokens for user's address, but user could not work with tokens
Tools Used
Manual review
Recommendations
Allow user specify receiver token address in claim function
Add modifier in claim function, which check that msg.sender is user's address. Its for restriction, when other user could call claim() and specify user's address.
Lead Judging Commences
Users that interact through smart contracts, account abstaction or multisig wallets lose all rewards because they are not the owners of the same addresses on L2
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.