Absence of ERC20 and Position NFT Withdrawal/Transfer Mechanisms in `L2TokenReceiver` Contract
Summary
The L2TokenReceiver contract lacks essential functions for asset management, including the ability to withdraw ERC20 tokens and ERC721 position NFTs. These omissions limit the owner's ability to efficiently manage the contract's assets and respond to operational requirements.
Vulnerability Details
The contract does not include functions to:
Withdraw ERC20 tokens to the owner's address or another specified address.
Transfer ownership of ERC721 position NFTs, such as those representing liquidity positions in Uniswap v3 pools.
The absence of these functions means the owner cannot directly transfer ERC20 tokens or position NFTs out of the contract, which can hinder the owner's ability to reallocate funds, or manage liquidity positions by removing liquidity or transferring the position NFT to another address or contracts in emergency situations.
Impact
Without dedicated withdrawal/transfer functions, the owner faces increased operational complexity and inefficiency. The inability to perform these actions directly can lead to challenges in quickly moving funds, rescuing assets, or transferring positions, especially in time-sensitive situations such as contract migrations, emergency responses, or asset rebalancing.
Tools Used
Manual review
Recommendations
Implement ERC20 Withdrawal Function: Introduce a secure withdrawal function for ERC20 tokens, ensuring it includes proper access controls, such as the
onlyOwnermodifier.
Example implementation:
Implement NFT Transfer Function: Add a function to transfer ERC721 position NFTs to a specified address, also secured with the onlyOwner modifier.
Example implementation:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.