Closed code423n4 closed 2 years ago
Labeled as sponsor disputed.
See this note from the contest repo README under the L2 protocol contracts section:
"The repo that contains these contracts is https://github.com/livepeer/protocol/tree/confluence at Git commit hash 439445f3ab6ef88f490ee2fdafb84c7d8fee76f3."
The referenced function does exist in this commit and as mentioned in the README this commit is the one to be used for L2 protocol contract dependencies that the L2Migrator interacts with. We do understand that there might've been some confusion around which commit to look at.
I can't seem to find where the finalizeMigrateSender
is implemented in TicketBroker.sol
. Can you point me to where it is? @yondonfu
@0xleastwood
finalizeMigrateSender()
is defined on L2Migrator here. The function then calls fundDepositAndReserveFor() on the TicketBroker. And fundDepositAndReserveFor()
is defined on the TicketBroker here.
As per the README
, the implementation for TicketBroker.sol
can actually be found at commit 439445f3ab6ef88f490ee2fdafb84c7d8fee76f3
. So I'll mark this issue as invalid
.
Handle
harleythedog
Vulnerability details
Impact
The
L2Migrator
contract makes use of the functionfundDepositAndReserveFor
on the ticket broker. In the commit hash for the contest (seen from this snippet from the contest page:) this function does not exist. This means that any attempts to call this function will result in the fallback function being called, so all calls to
finalizeMigrateSender
on theL2Migrator
will not work correctly.Proof of Concept
See the code the
L2Migrator
here. See the TicketBroker implementation here.Tools Used
Manual inspection.
Recommended Mitigation Steps
Add in the function
finalizeMigrateSender
to theTicketBroker
implementation,NOTE TO JUDGE: I have discussed this issue with the sponsor, we have both agreed that this function technically does not exist in the commit hash provided by the contest. We agreed that I should submit the issue for now, although technically this is not a very real issue since the function has been added in later commits. Since these later commits are outside the scope of the contest, I am guessing this finding is still valid? Also, I realize now that a previous finding I submitted titled "L2Migrator calls wrong function on bondingManager" has this exact same issue.