Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

Latest commit

 

History

History
48 lines (36 loc) · 1.81 KB

074.md

File metadata and controls

48 lines (36 loc) · 1.81 KB
Raw

csanuragjain

low

Delayed checks could lead to loss of funds

Summary

Few checks are performed after User has sent a transaction from L1-L2. If these checks fail then transaction cannot proceed and fund are stuck

Vulnerability Detail

  1. Lets say User A bridges local token A to remote token B using bridgeERC20To

  2. This eventually is executed on L2 in finalizeBridgeERC20 function

function finalizeBridgeERC20(
        address _localToken,
        address _remoteToken,
        address _from,
        address _to,
        uint256 _amount,
        bytes calldata _extraData
    ) public onlyOtherBridge {
        if (_isOptimismMintableERC20(_localToken)) {
            require(
                _isCorrectTokenPair(_localToken, _remoteToken),
                "StandardBridge: wrong remote token for Optimism Mintable ERC20 local token"
            );
			...
			}

  1. Lets say User mistakenly provided incorrect token pair B for A then require condition fails and transaction cannot process, thus funds are stuck

  2. If the same checks were performed in L1 then this fund loss could have been prevented

Impact

User will lose funds which were associated with the message

Code Snippet

https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/universal/StandardBridge.sol#L334 https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/universal/CrossDomainMessenger.sol#L309

Tool used

Manual Review

Recommendation

The checks should be peformed on the layer sending messages as well. This will prevent users from sending incorrect message and hence prevent there funds