User can bridge 0 tokens from L2 -> L1 while the other way around it's not possible.
When bridging tokens from L1 -> L2, we have this check in the _depositIntoEscrow
function:
which makes sure that the user can't bridge 0 assets.
However, this check is missing in the escrow_deposit_tokens
function on the L2 contract which allows users to bridge 0 tokens from L2 to L1.
This doesn't make sense and while I haven't found a meaningful impact, this opens up a user flow that is not needed and could lead to problems, and it seems like the developers wanted to disable such behavior by implementing the check on L1 but forgot to do it on L2.
Users can bridge 0 tokens which doesn't make sense and should be disabled like in the L1 contract.
Manual review
Add a check that asserts the user is sending at least 1 token in the escrow_deposit_tokens
function.
No real impact. Attacker will have to pay the deployment of the new contract even with 0 token, and it won’t have any interest do to that since he won’t take the control of the contract.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.