Create methods are suspicious of the reorg attack
Summary
Failure to withdraw tokens
Vulnerability Details
The protocol is deploying NEW NFT bridging contracts using ERC1967 proxy , The issue is that when users rely on the address derivation in advance or try to deploy the position clone with the same address on different EVM chains, any funds sent to the new contract could potentially be withdrawn by anyone else. All in all, it could lead to the theft of user collection.
Although the system is intended to be deployed on Ethereum, there still have been instances of chain reorgs in its PoS era : ref.
Chain reorgs are very prevalent in Ethereum mainnet, we can check this index of reorged blocks on etherscan
Assume user1 wants to withdraw their specific set of NFT from L2, they initiate the withdrawal of that particular collection. Another user2 who keeps eyes on the mempool sees a block reorg happening, and calls the deployBridge contract which creates NEW NFT bridging contracts Now user1 withdrawal happens and his collection is sent to thE NFT contract controlled by user2
Impact
Failure to withdraw from contract due to block reorg
Tools Used
Manual Review
Recommendations
Deploy such contracts via create2 with salt that includes msg.sender.
Lead Judging Commences
invalid-reorg-attack-create
`_l1ToL2Addresses` and `_l2ToL1Addresses` can only be set by the bridge owner or at the deployment in `withdrawTokens`. Even if there is a reorg, the contract will be deployed on a new address which won’t change anything to bridge tokens. No impact.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.