Open code423n4 opened 2 years ago
Severity: 2 (Med)
We'll fix this, but noting that the funds are recoverable because the BridgeMinter can set a new L1Migrator that does have the receive() function which is why the suggested severity is 2 (Med).
Agree with sponsor, these funds are recoverable. However, the warden has identified a DOS attack, which is a valid medium
severity issue.
Handle
WatchPug
Vulnerability details
https://github.com/livepeer/arbitrum-lpt-bridge/blob/ebf68d11879c2798c5ec0735411b08d0bea4f287/contracts/L1/gateway/L1Migrator.sol#L308-L310
L1Migrator.sol#migrateETH()
will callIBridgeMinter(bridgeMinterAddr).withdrawETHToL1Migrator()
to withdraw ETH fromBridgeMinter
.However, the current implementation of
L1Migrator
is unable to receive ETH.https://github.com/livepeer/protocol/blob/20e7ebb86cdb4fe9285bf5fea02eb603e5d48805/contracts/token/BridgeMinter.sol#L94-L94
A contract receiving Ether must have at least one of the functions below:
receive() external payable
fallback() external payable
receive()
is called ifmsg.data
is empty, otherwisefallback()
is called.Because
L1Migrator
implement neitherreceive()
orfallback()
, thecall
at L94 will always revert.Impact
All the ETH held by the
BridgeMinter
can get stuck in the contract.Recommandation
Add
receive() external payable {}
inL1Migrator
.