Failure to withdraw tokens
The protocol is deploying NEW NFT bridging contracts using ERC1967 proxy , The issue is that when users rely on the address derivation in advance or try to deploy the position clone with the same address on different EVM chains, any funds sent to the new
contract could potentially be withdrawn by anyone else. All in all, it could lead to the theft of user collection.
Although the system is intended to be deployed on Ethereum, there still have been instances of chain reorgs in its PoS era : ref.
Chain reorgs are very prevalent in Ethereum mainnet, we can check this index of reorged blocks on etherscan
Assume user1 wants to withdraw their specific set of NFT from L2, they initiate the withdrawal of that particular collection. Another user2 who keeps eyes on the mempool sees a block reorg happening, and calls the deployBridge
contract which creates NEW NFT bridging contracts
Now user1 withdrawal happens and his collection is sent to thE NFT contract controlled by user2
Failure to withdraw from contract due to block reorg
Manual Review
Deploy such contracts via create2
with salt
that includes msg.sender
.
`_l1ToL2Addresses` and `_l2ToL1Addresses` can only be set by the bridge owner or at the deployment in `withdrawTokens`. Even if there is a reorg, the contract will be deployed on a new address which won’t change anything to bridge tokens. No impact.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.