Closed code423n4 closed 2 years ago
gzeon
Anyone can migrate address(0) since there is no check to make sure _l1Addr != address(0) and recoverSigner return address(0) if _sig.length == 0, which allow anyone to submit migration tx with _l1Addr = address(0) and _sig = ""
_l1Addr != address(0)
recoverSigner
_sig.length == 0
_l1Addr = address(0) and _sig = ""
https://github.com/livepeer/arbitrum-lpt-bridge/blob/ebf68d11879c2798c5ec0735411b08d0bea4f287/contracts/L1/gateway/L1Migrator.sol#L500
function requireValidMigration( address _l1Addr, address _l2Addr, bytes32 _structHash, bytes memory _sig ) internal view { require( _l2Addr != address(0), "L1Migrator#requireValidMigration: INVALID_L2_ADDR" ); require( msg.sender == _l1Addr || recoverSigner(_structHash, _sig) == _l1Addr, "L1Migrator#requireValidMigration: FAIL_AUTH" ); } function recoverSigner(bytes32 _structHash, bytes memory _sig) internal view returns (address) { if (_sig.length == 0) { return address(0); } bytes32 hash = _hashTypedDataV4(_structHash); return ECDSA.recover(hash, _sig); }
require(_l1Addr != address(0))
Duplicate of https://github.com/code-423n4/2022-01-livepeer-findings/issues/142
Handle
gzeon
Vulnerability details
Impact
Anyone can migrate address(0) since there is no check to make sure
_l1Addr != address(0)
andrecoverSigner
return address(0) if_sig.length == 0
, which allow anyone to submit migration tx with_l1Addr = address(0) and _sig = ""
Proof of Concept
https://github.com/livepeer/arbitrum-lpt-bridge/blob/ebf68d11879c2798c5ec0735411b08d0bea4f287/contracts/L1/gateway/L1Migrator.sol#L500
Recommended Mitigation Steps