Attackers can steal NFTs from users
Summary
If from is moved to deposit_tokens params, then attackers will be able to steal NFTs from users
Vulnerability Details
Below TODO is mentioned in deposit_tokens in L2 bridge
If there is a from param in deposit_tokens attackers will be able to steal tokens from NFTs. It is common approve tokens to bridge contracts using `setApprovalForAll` to set approval for all tokens the user owns. It is also common to give approval for bridge contracts beforehand.
In such cases an attaker can simply use the approval and pull the tokens from user and call deposit_tokens with from param pointing to victim address and ownerL1 feild pointing to attacker address. The deposit_tokens will succeed as the as there is allowance from user to bridge
After the deposit call is successful, attacker can withdraw tokens on L1 and steal them.
Similarly this issue also will presist if depositTokens params are updated to have from parameter
Impact
Attackers can steal users NFTs
Tools Used
Manual review
Recommendations
Don't include from parameter while depositing tokens
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.