BridgeEscrow.approveAll allows a _spender to transfer all the GRT stored in BridgeEscrow.
While this function is meant to be used as an escape hatch - by using a Merkle proof contract to reclaim funds based on an L2 snapshot, it still constitutes a potential rugging vector that can grieve users that have bridged their GRT to Arbitrum.
Impact
Medium
Proof Of Concept
Users bridge their GRT to L2
Governor calls BridgeEscrow.approveAll(Recipient), recipient being a malicious EOA/SC
recipient steals all the GRT in BridgeEscrow.
Tools Used
Manual Analysis
Mitigation
A timelock system would be complicated to design because of Arbitrum's dispute period.
A safer option is to have an emergency withdrawal using a "pull" pattern to allow users to reclaim funds themselves. You can combine it with the Merkle Proof snapshot detailed in the specs.
Lines of code
https://github.com/code-423n4/2022-10-thegraph/blob/309a188f7215fa42c745b136357702400f91b4ff/contracts/gateway/BridgeEscrow.sol#L28-L30
Vulnerability details
BridgeEscrow.approveAll
allows a_spender
to transfer all theGRT
stored inBridgeEscrow
.While this function is meant to be used as an escape hatch - by using a Merkle proof contract to reclaim funds based on an L2 snapshot, it still constitutes a potential rugging vector that can grieve users that have bridged their
GRT
to Arbitrum.Impact
Medium
Proof Of Concept
GRT
to L2BridgeEscrow.approveAll(Recipient)
,recipient
being a malicious EOA/SCrecipient
steals all theGRT
inBridgeEscrow
.Tools Used
Manual Analysis
Mitigation
A timelock system would be complicated to design because of Arbitrum's dispute period. A safer option is to have an emergency withdrawal using a "pull" pattern to allow users to reclaim funds themselves. You can combine it with the Merkle Proof snapshot detailed in the specs.