User will lock his tokens if he passes `use_withdraw_auto` as true when bridging L2 -> L1
Summary
User will lock his tokens if he passes use_withdraw_auto as true when bridging L2 -> L1.
Vulnerability Details
Currently, passing use_withdraw_auto is permitted on the L2 deposit_tokens function:
There is nothing that stops a user from passing true for it and they might be deceived that such functionality exists and that he'll receive his tokens automatically on L1.
However, on L1 auto withdraw is disabled:
which will lead to the users token being stuck in the L2 escrow while he won't be able to withdraw it on L1.
With enough users using the protocol, this is almost guaranteed to happen. There's a high chance someone will try this functionality and lock his tokens even if there are disclaimers on the front end.
Currently, there's no reason for this variable to exist at all and the only thing that can come from it being existant is the risk of users accidentally locking their tokens.
Impact
Users accidentally locking their tokens
Tools Used
Manual review
Recommendations
Remove the opportunity for this variable to be passed by the user if such functionality won't be used. If you need it to build the request, automatically pass it as false.
Lead Judging Commences
finding-auto_withdrawn-L2-NFT-stuck
Impact: High, token will be stuck in L2 bridge. Likelyhood: Very low, option is available in L2 but has been disabled since March on L1, would be almost a user error.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.