code423n4 commented 2 years ago

Handle

harleythedog

Vulnerability details

Impact

In L2Migrator, the function bondFor calls the function "bondForWithHint" on the bondingManager. This function does not exist anywhere in the protocol: the correct function name is simply "bondWithHint". This is a run-time issue (the contracts will still compile), so the result will be that the bondFor function will call the fallback function on the bondingManager, which means that bondFor will do nothing. Since bondFor does nothing, migrations from L1 to L2 will not work and people will not be staked correctly. For more information on what happens in this exact scenario, this article here goes into detail about incorrect interfaces and fallback functions.

Proof of Concept

See the L2Migrator function bondFor here. Notice that this calls the function bondForWithHint on the bondingManager. If you ctrl+f all of the related protocol code files, this function does not exist anywhere except for within L2Migrator and the L2Migrator test script (which simply tests that this function gets called, but this doesn't properly test that it exists and works as expected). Looking at the bondingManager contract here, it is clear that the correct function is named bondWithHint.

Tools Used

Manual inspection.

Recommended Mitigation Steps

Change all occurrences bondForWithHint to bondWithHint in L2Migrator.

yondonfu commented 2 years ago

Labeled as sponsor disputed for the same reasons mentioned in this comment.

0xleastwood commented 2 years ago

As per the README, the implementation for BondingManager.sol can actually be found at commit 439445f3ab6ef88f490ee2fdafb84c7d8fee76f3. So I'll mark this issue as invalid.

code-423n4 / 2022-01-livepeer-findings