Function recoverSigner in L1Migrator returns an empty address if the signature is empty:
if (_sig.length == 0) {
return address(0);
}
This means you can bypass the signature verification by passing an empty signature and an empty address for _l1Addr. Then you can specify any _l2Addr and it will work.
Recommended Mitigation Steps
It should revert when the signature is empty or just let the ECDSA.recover reject it.
Handle
pauliax
Vulnerability details
Impact
Function recoverSigner in L1Migrator returns an empty address if the signature is empty:
This means you can bypass the signature verification by passing an empty signature and an empty address for _l1Addr. Then you can specify any _l2Addr and it will work.
Recommended Mitigation Steps
It should revert when the signature is empty or just let the ECDSA.recover reject it.