When bridging NFTs from L2 to L1 with the use_withdraw_auto flag enabled, users are unable to withdraw these NFTs on L1 due to the auto-withdraw functionality being disabled in the withdrawTokens() function of the L1 bridge contract.
When bridging NFTs from L2 to L1, the use_withdraw_auto flag can be set to true
. This flag will be encoded into the request header and sent to L1:
However, the withdrawTokens() function on the L1 bridge contract checks the request header. If use_withdraw_auto is enabled, it attempts to use the auto-withdraw functionality, which has been disabled:
Users who bridge NFTs from L2 to L1 with the use_withdraw_auto
flag enabled will be unable to withdraw their NFTs on L1, results in locking these NFTs.
vscode
Ensure use_withdraw_auto
is constantly set to false until the protocol supports this feature.
Impact: High, token will be stuck in L2 bridge. Likelyhood: Very low, option is available in L2 but has been disabled since March on L1, would be almost a user error.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.