The depositTokens
function in the Bridge contract fails to capture and store the nonce
and msgHash
returned by the sendMessageToL2
function. This omission severely impacts the ability to manage and cancel cross-chain transactions.
This is because the nonce is used a parameter to cancel a txn.
When a user depositTokens to the L2
The depositTokens
function calls sendMessageToL2
but it doesn't store the returned nonce
and msgHash
.
This is a critical oversight.
No event is emitted containing the nonce
and msgHash
for future reference.
Implications for Cancellation: The startRequestCancellation
function requires the nonce
as a parameter, which is not available due to this oversight. This effectively renders the cancellation feature unusable.
Users cannot cancel initiated deposits, potentially leading to locked funds.
Loss of transaction traceability between L1 and L2.
Manual Review
Modify the depositTokens
function to capture and store the nonce
and msgHash
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.