When doing a Bridged transaction (L2 -> L1), the sequencer calls L2Bridge::withdraw_auto_from_l1
.
When calling this function in the last of it we call ensure_erc721_deployment
and in the last of this function, we call _white_list_collection
if the collection is not whitelisted we add it to the whitelisted Linked List.
If we check the logic of the addition in _white_list_collection
we will find that it adds the new collection in the last of that Linked List, and we are using single Linked List DS, not Double. So we are iterating over all the elements to put this NFT collection in the Linked List.
As we can see we are iterating from the head
to the next element to the next one, and so on till we reach the end of the linked list (the next element is zero), then we link our collection to it.
Whitelisting a linked list is only a part of the logic done when calling withdraw_auto_from_l1
, besides deploying the NFT collection, mint NFTs to the L2 recipient, and other things, so the tx gas cost will increase and may even reach the maximum.
Another thing we need to take into consideration is that this function is called by the sequencer, so reverting the tx is possible, and the sequencer may not accept the message from L1 from the beginning if the fees provided was small.
Normal Scenario
WhiteListing is disabled in L1Bridge
, so any NFT collection can be bridged.
Bridge is so active and a lot of NFTs are bridged from L1 to L2.
Once the collection is deployed, it is added to whitelisted
collection Linked List.
The number of whitelisted collections increases 10, 20, 50, 100, 200, 500, 1000, ...
The cost for Bridging new NFT collection became too large as withdraw_auto_from_l1
iterates 1000
time besides deploying a new contract and some checks.
The transaction will get reverted when the sequencer calls it because of the huge TX cost, or it will not accept processing the message in the first place from L1.
Attack Scenario
WhiteListing is disabled in L1Bridge
, so any NFT collection can be bridged.
Bridge is so active and a lot of NFTs are bridged from L1 to L2.
An Attacker spammed Bridging different NFTs from (L1 -> L2).
The number of whitelisted collections increases 10, 20, 50, 100, 200, 500, 1000, ...
The cost for Bridging new NFT collection became too large as withdraw_auto_from_l1
iterates 1000
time besides deploying a new contract and some checks.
The transaction will get reverted when the sequencer calls it because of the huge TX cost, or it will not accept processing the message in the first place from L1.
Permanent DoS for Bridging new NFTs from L1 -> L2
Manual Review
You can use something like OpenZeppelin EnumberableSets
in solidity, and if it is not found we can use Head/Tail
Linked List, where we will store the First and the last element in the linked list, so when we add a new element we will do it at θ(1)
not θ(N)
Average time complexity.
Likelyhood: High, once the whitelist option is disabled, collections will grow. Impact: High, withdraw won’t be possible because of Out-Of-Gas.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.