Era

Summary

The finalizeDeposit function is not payable, which means calling requestL2TransactionTwoBridges with a nonzero _request.l2Value will cause a revert on the destination chain.

Vulnerability Details

The finalizeDeposit functions in both the L2AssetRouter and L2SharedBridgeLegacy contracts are not payable:

• L2AssetRouter.finalizeDeposit

• L2SharedBridgeLegacy.finalizeDeposit

This means that when using the function requestL2TransactionTwoBridges to bridge a non-base token to a zk chain, and if the _request.l2Value is nonzero, it implies that some base token (as msg.value) will be forwarded to the L2AssetRouter::finalizeDeposit or L2SharedBridgeLegacy::finalizeDeposit function. However, since neither of these functions are payable, this will result in a revert.

The flow leading to this issue starts from:

• The requestL2TransactionTwoBridges function, which bridges the token with a nonzero _request.l2Value:
  Link to source

Additionally, the getDepositCalldata function determines which deposit function will be called based on whether the token is registered with NTV (Native Token Vault) or not:

• Link to source

If the token is not registered with NTV, the destination will call L2AssetRouter::finalizeDeposit. Otherwise, it will call L2SharedBridgeLegacy::finalizeDeposit.

Both of these functions, however, are non-payable, meaning they cannot accept the base token value as part of the transaction, leading to a revert if _request.l2Value is nonzero.

Impact

If _request.l2Value is nonzero when calling requestL2TransactionTwoBridges, the transaction will fail and revert on the destination chain.

Tools Used

Recommendations

To avoid this issue, either:

• Enforce that _request.l2Value must be zero when calling requestL2TransactionTwoBridges, or

• Make the finalizeDeposit functions payable (though this might not be the most appropriate solution).