Front Running cancelRequest() on L1 and L2
Summary
The function cancelRequest() in Bridge.sol allows any one to cancel a deposit request , however it is susceptible to front-running effectively leading to loss of user funds.
Vulnerability Details
The function takes a payload and a nonce as parameters, which are used to identify and cancel a specific L1 to L2 message. These parameters are visible in the mempool before the transaction is confirmed.
Since the function only requires a payload and nonce to cancel a request, and doesn't verify the caller's identity, it's possible for anyone to cancel any request if they have these parameters
Eve the attacker can monitor the mempool for cancelRequest transactions. Whenever she spots one,s he can extract the payload and nonce, then submit her own transaction with the same data but a higher gas price.
Below is the function cancelRequest()
As you can see there is no access control, enabling anyone to submit a request for cancellation. Which an attacker Eve can exploit this by monitoing the mempool to submit a different payload with highier gas price.
section :
6.3 Frontrun cancelDeposit()
Impact
User funds can be stolen
Tools Used
Manual Review
Recommendations
msg.sender should be included in payload of depositTokens(), startRequestCancellation and
cancelDeposit()
Lead Judging Commences
invalid-cancel-callable-by-anyone
The process to cancel a message is detailed here: https://docs.starknet.io/architecture-and-concepts/network-architecture/messaging-mechanism/#l2-l1_message_cancellation Since `startRequestCancellation` has the `onlyOwner`, only the owner can begin that process.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.