search

code-423n4 / 2022-10-thegraph-findings

0 stars 0 forks source link

`transferfrom` with arbitrary `from` address allows attackers to receive tokens in L2 without paying #234

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-10-thegraph/blob/main/contracts/gateway/L1GraphTokenGateway.sol#L235

Vulnerability details

Impact

In https://github.com/code-423n4/2022-10-thegraph/blob/main/contracts/gateway/L1GraphTokenGateway.sol#L235, the line 

                token.transferFrom(from, escrow, _amount);

use an arbitrary from address. So an attacker can deposit victim's GTR token on L1, by using from address as victim's address, and receive equivalent tokens on L2 on attacker address.

Proof of Concept

https://github.com/code-423n4/2022-10-thegraph/blob/main/contracts/gateway/L1GraphTokenGateway.sol#L235

Tools Used

Manual review

Recommended Mitigation Steps

Whitelist the function outboundTransfer

trust1995 commented 1 year ago

from is not an arbitrary address, it is calculated to be msg.sender or caller of router function in case it is a router call.