Anyone can migrate address(0)

[code423n4]

Handle

gzeon

Vulnerability details

Impact

Anyone can migrate address(0) since there is no check to make sure _l1Addr != address(0) and recoverSigner return address(0) if _sig.length == 0, which allow anyone to submit migration tx with _l1Addr = address(0) and _sig = ""

Proof of Concept

https://github.com/livepeer/arbitrum-lpt-bridge/blob/ebf68d11879c2798c5ec0735411b08d0bea4f287/contracts/L1/gateway/L1Migrator.sol#L500

    function requireValidMigration(
        address _l1Addr,
        address _l2Addr,
        bytes32 _structHash,
        bytes memory _sig
    ) internal view {
        require(
            _l2Addr != address(0),
            "L1Migrator#requireValidMigration: INVALID_L2_ADDR"
        );
        require(
            msg.sender == _l1Addr ||
                recoverSigner(_structHash, _sig) == _l1Addr,
            "L1Migrator#requireValidMigration: FAIL_AUTH"
        );
    }

    function recoverSigner(bytes32 _structHash, bytes memory _sig)
        internal
        view
        returns (address)
    {
        if (_sig.length == 0) {
            return address(0);
        }

        bytes32 hash = _hashTypedDataV4(_structHash);
        return ECDSA.recover(hash, _sig);
    }

Recommended Mitigation Steps

require(_l1Addr != address(0))

[yondonfu]

Duplicate of https://github.com/code-423n4/2022-01-livepeer-findings/issues/142