Summary

The vulnerability found lies in the L2TokenReciever::swap function setting the deadline for the swap transaction to the current block timestamp using block.timestamp. This approach is susceptible to front-running attacks and can be exploited by malicious actors.

Vulnerability Details

By setting the deadline to the current block timestamp, the contract allows anyone with malicious intent to manipulate the transaction execution by watching the mem pool and Front-running the transaction execution. Front-running is a scenario where an attacker exploits the time delay between the submission of a transaction and its inclusion in a block. In this case, an attacker could submit a transaction with a higher gas fee and a later deadline, effectively replacing the original transaction in the pending block and manipulating the outcome in their favor.

Impact

The impact of this vulnerability is that the contract is vulnerable to front-running attacks, which can result in undesirable outcomes such as suboptimal swap rates or failed transactions. Malicious actors can exploit the time-sensitive nature of blockchain transactions to their advantage, potentially causing financial losses or disruptions.

Tools Used

Manual Review

Recommendations

To address this vulnerability, it is recommended to use a more secure and deterministic approach for setting the deadline. for instance using a uint256 _deadline parameter in the function such as: