The withdrawTokens
function in the provided smart contract contains a critical vulnerability that allows any user to withdraw tokens on behalf of the legitimate owner. This vulnerability stems from the lack of authentication checks, specifically the absence of verification that the msg.sender
is the same as req.ownerL1
(the legitimate owner of the tokens).
The function withdrawTokens
does not verify that the caller (msg.sender
) is the legitimate owner of the tokens (req.ownerL1
).
Anyone can initiate the withdrawal process by calling this function with a crafted request.
Tokens are correctly transferred to req.ownerL1
, but the initiation of this process is not restricted.
PoC
Run
Denial of Service: An attacker can repeatedly initiate withdrawals for other users' tokens, potentially locking them in an unwanted state or causing excessive gas fees.
An attacker could force users' tokens back to L1 against their will.
Impact: Users relying on L2 for lower fees or faster transactions suddenly find their assets moved, potentially missing out on L2-specific opportunities or incurring unexpected L1 gas costs.
Manual Review
Implement strict authentication checks in the withdrawTokens
function. Add a requirement that msg.sender
must be equal to req.ownerL1
.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.