Submission Details
Severity:
`L2ContractMigrationFacet` overwrites user's deposit, instead of increasing it
Summary
L2ContractMigrationFacet overwrites user's deposit, instead of increasing it
Vulnerability Details
Currently, when migrating the deposits, if the receiver address has a deposit with the same depositId, both amount and bdv will be overwritten instead of increased.
// add deposit to account.
s.accts[account].deposits[depositId].amount = depositData.amounts[i];
s.accts[account].deposits[depositId].bdv = depositData.bdvs[i];
As the owner can choose any receiver they wish, this can even be weaponized to target users with big deposits and overwrite them.
Impact
Loss of protocol-native assets.
Tools Used
Manual review
Recommendations
Increase instead of overwriting
Updates
Lead Judging Commences
inallhonesty about 1 year ago
Submission Judgement Published Reason: Incorrect statement
Assigned finding tags:
`L2ContractMigrationFacet` overwrites user's deposit, instead of increasing it
Appeal created
deadrosesxyz
about 1 year ago
giovannidisiena
about 1 year ago
giovannidisiena
about 1 year ago
inallhonesty about 1 year ago
Submission Judgement Published Assigned finding tags:
`L2ContractMigrationFacet` overwrites user's deposit, instead of increasing it
Prize pool breakdown
Total prize
250,000 USDC
nSLOC
12,28520 USDC / LOC
220,000 USDC
10,000 USDC
20,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.