Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-05-BASE-FINDINGS-ISSUES-120
HistoryJun 09, 2023 - 12:00 a.m.

Underpaying Optimism l2gas(_minGasLimit) may lead to loss of funds

2023-06-0900:00:00
Code4rena
github.com
31
ethereum optimism
l1standardbridge vulnerability
loss of funds
deposit function
finalizebridgeerc20
cross-chain deposit
security vulnerability
JSON

Lines of code

Vulnerability details

Impact

The contract L1StandardBridge.sol is susceptible to a vulnerability where underpaying the l2Gas(here in all contract, it used as β€œ_minGasLimit”) value provided by users can result in a potential loss of funds. This vulnerability exists in the depositERC20() and depositERC20To() functions, which allow users to initiate deposits by specifying the l2Gas(_minGasLimit) value. If the provided l2Gas(_minGasLimit) value is insufficient/underpaid, it may cause the finalizeBridgeERC20 function in the L2 bridge contract to fail, resulting in a loss of the deposited funds.

This report focuses on deposit functionality, the same issue should be considered for withdraw() andwithdrawTo() in L2 contract.

In L1StandardBridge.sol,depositERC20 and depositERC20To() functions are used to transfer tokens on L2 to self and to other addresses. These two function has used internal function _initiateERC20Deposit and this internal function has used _initiateBridgeERC20 which is given as below,

File: contracts/L1/L1StandardBridge.sol

402    function _initiateBridgeERC20(
403        address _localToken,
404        address _remoteToken,
405        address _from,
406        address _to,
407        uint256 _amount,
408        uint32 _minGasLimit,
409        bytes memory _extraData
410    ) internal {
411        if (_isOptimismMintableERC20(_localToken)) {
412            require(
413                _isCorrectTokenPair(_localToken, _remoteToken),
414                "StandardBridge: wrong remote token for Optimism Mintable ERC20 local token"
415            );
416
417            OptimismMintableERC20(_localToken).burn(_from, _amount);
418        } else {
419            IERC20(_localToken).safeTransferFrom(_from, address(this), _amount);
420            deposits[_localToken][_remoteToken] = deposits[_localToken][_remoteToken] + _amount;
421        }
422
423        // Emit the correct events. By default this will be ERC20BridgeInitiated, but child
424        // contracts may override this function in order to emit legacy events as well.
425        _emitERC20BridgeInitiated(_localToken, _remoteToken, _from, _to, _amount, _extraData);
426
427        MESSENGER.sendMessage(
428            address(OTHER_BRIDGE),
429            abi.encodeWithSelector(
430                this.finalizeBridgeERC20.selector,
431                // Because this call will be executed on the remote chain, we reverse the order of
432                // the remote and local token addresses relative to their order in the
433                // finalizeBridgeERC20 function.
434                _remoteToken,
435                _localToken,
436                _from,
437                _to,
438                _amount,
439                _extraData
440            ),
441            _minGasLimit
442        );
443    }

This optimism standard token bridge makes the cross-chain deposit by sending a cross-chain message via MESSENGER(i.e CrossDomainMessenger.sol) to L2Bridge or standard bridge here.

The problem here is the _minGasLimit i.e l2Gas.

If users provide an insufficient l2Gas(_minGasLimit) value when initiating a deposit, it can result in the failure of the finalizeBridgeERC20 function in the standard bridge contract. Consequently, the deposited funds may be lost, leading to potential financial losses for the affected users.

Proof of Concept

L1StandardBridge.depositERC20(),

<https://github.com/ethereum-optimism/optimism/blob/382d38b7d45bcbf73cb5e1e3f28cbd45d24e8a59/packages/contracts-bedrock/contracts/L1/L1StandardBridge.sol#L157-L173&gt;

L1StandardBridge.depositERC20To(),

<https://github.com/ethereum-optimism/optimism/blob/382d38b7d45bcbf73cb5e1e3f28cbd45d24e8a59/packages/contracts-bedrock/contracts/L1/L1StandardBridge.sol#L188-L205&gt;

Similar Medium severity finding at Li.Fi audit at Spearbit- <https://solodit.xyz/issues/7049&gt;

Tools Used

Manual review

Recommended Mitigation Steps

To mitigate the risk of losing user funds, it is crucial to address the issue and provide clear guidance to users. The following recommendations are suggested:

Enhance Documentation: Update the user documentation, developer guides, and communication channels to emphasize the importance of providing an adequate l2Gas/l1Gas value when initiating deposits. Clearly explain the potential consequences of underpaying the l2Gas/l1Gas value and provide specific guidance on determining an appropriate value.

Input Validation: Implement input validation mechanisms to ensure that users provide a sufficient l2Gas/l1Gas value when initiating deposits. This can include setting minimum gas limits and providing warnings when users provide values that are below the recommended thresholds.

Assessed type

Other

The text was updated successfully, but these errors were encountered:

All reactions

JSON