Vulnerability Summary

The implementation of the _ensureTokenRegisteredWithNTV function in the L2AssetRouter contract is flawed, causing it to always return bytes32(0) for tokens. This results in users being unable to withdraw their tokens from Layer 2, as the asset ID cannot be resolved to a valid asset handler address in the _withdrawSender function.

Vulnerability Details

When users attempt to withdraw tokens from Layer 2 using the L2AssetRouter::withdrawToken function, the process involves several steps:

1. Calling withdrawToken: Users call the withdrawToken function, which is intended to facilitate the withdrawal of tokens from Layer 2 to Layer 1.

2. Token Registration Check: The function calls _ensureTokenRegisteredWithNTV to verify if the token is registered with the native token vault and to retrieve its asset ID.

3. Flawed Implementation: The implementation of _ensureTokenRegisteredWithNTV is as follows:

The function declares assetId in its return statement, but fails to set the variable in the function body leading to the function returning the default bytes32 value, bytes32(0).

4. Withdrawal Process Failure: When _withdrawSender is called, it relies on the asset ID returned by _ensureTokenRegisteredWithNTV. Since the asset ID is bytes32(0), the function cannot resolve the asset handler address, leading to a failure in processing the withdrawal.

Impact

Users are unable to withdraw their tokens from Layer 2, effectively locking their assets in the system. A core functionality of the protocol is effectively shutdown.

Tools Used

Manual review

Recommendation

To resolve this issue, the following recommendations should be implemented:

• Ensure that the assetId is correctly set after calling nativeTokenVault.ensureTokenIsRegistered(_token). The function should be modified as follows:

• Before the above can work, we have to also update the NativeTokenVault::ensureTokenIsRegistered to return the appropriate value.