Closed code423n4 closed 2 years ago
Labeled as sponsor disputed for the same reasons mentioned in this comment.
As per the README
, the implementation for BondingManager.sol
can actually be found at commit 439445f3ab6ef88f490ee2fdafb84c7d8fee76f3
. So I'll mark this issue as invalid
.
Handle
harleythedog
Vulnerability details
Impact
In
L2Migrator
, the functionbondFor
calls the function "bondForWithHint
" on thebondingManager
. This function does not exist anywhere in the protocol: the correct function name is simply "bondWithHint
". This is a run-time issue (the contracts will still compile), so the result will be that thebondFor
function will call the fallback function on thebondingManager
, which means thatbondFor
will do nothing. SincebondFor
does nothing, migrations from L1 to L2 will not work and people will not be staked correctly. For more information on what happens in this exact scenario, this article here goes into detail about incorrect interfaces and fallback functions.Proof of Concept
See the
L2Migrator
functionbondFor
here. Notice that this calls the functionbondForWithHint
on thebondingManager
. If you ctrl+f all of the related protocol code files, this function does not exist anywhere except for withinL2Migrator
and theL2Migrator
test script (which simply tests that this function gets called, but this doesn't properly test that it exists and works as expected). Looking at thebondingManager
contract here, it is clear that the correct function is namedbondWithHint
.Tools Used
Manual inspection.
Recommended Mitigation Steps
Change all occurrences
bondForWithHint
tobondWithHint
inL2Migrator
.