Lack of Request Validation in withdrawTokens Function Leading to Potential Unauthorized Token Withdrawals
Summary
The withdrawTokens function in the provided contract deserializes withdrawal requests using Protocol.requestDeserialize without performing any validation on the request's format or contents. This lack of validation can lead to unexpected behavior or vulnerabilities, potentially allowing malicious actors to exploit the deserialization process for unauthorized token withdrawals or other manipulations.
Vulnerability Details
The withdrawTokens function directly invokes Protocol.requestDeserialize on the input request without validating its format or contents. This deserialization process lacks sufficient safeguards against malformed or manipulated requests, which could be used to exploit the contract.
The above code illustrates that the withdrawTokens function relies on Protocol.requestDeserialize to process the incoming request. However, no validation occurs before or after deserialization to ensure that the request adheres to expected formats or contains valid data.
Impact
The primary impact of this vulnerability is the potential for unauthorized token withdrawals. If a malicious actor crafts a specially formatted request that exploits the deserialization process, they may be able to:
Withdraw tokens they do not own.
Manipulate the mapping between L1 and L2 collections.
Carefully crafted malicious input could potentially cause the function to revert, leading to a denial of service for legitimate withdrawal requests.
Tools Used
Manual review
Recommendations
1: Add checks to ensure the request array has the expected length.
2: Validate each field of the deserialized request to ensure it contains expected and reasonable values.
3: After deserialization, add sanity checks on critical fields like token IDs, addresses, and amounts.
4: Wrap the deserialization in a try-catch block to handle any exceptions that might be thrown during the process.
5: Consider implementing limits on the number of tokens that can be processed in a single request to mitigate potential DoS attacks.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.