trust1995
commented
1 year ago Seems to be an issue the project is aware of.
Closed code423n4 closed 1 year ago
trust1995
commented
1 year ago Seems to be an issue the project is aware of.
0xean
commented
1 year ago dupe of #40
Lines of code
https://github.com/code-423n4/2022-10-thegraph/blob/309a188f7215fa42c745b136357702400f91b4ff/contracts/gateway/BridgeEscrow.sol#L28-L30
Vulnerability details
BridgeEscrow.approveAllallows a_spenderto transfer all theGRTstored inBridgeEscrow.While this function is meant to be used as an escape hatch - by using a Merkle proof contract to reclaim funds based on an L2 snapshot, it still constitutes a potential rugging vector that can grieve users that have bridged their
GRTto Arbitrum.Impact
Medium
Proof Of Concept
GRTto L2BridgeEscrow.approveAll(Recipient),recipientbeing a malicious EOA/SCrecipientsteals all theGRTinBridgeEscrow.Tools Used
Manual Analysis
Mitigation
A timelock system would be complicated to design because of Arbitrum's dispute period. A safer option is to have an emergency withdrawal using a "pull" pattern to allow users to reclaim funds themselves. You can combine it with the Merkle Proof snapshot detailed in the specs.