code423n4 commented 1 year ago

Lines of code

https://github.com/ethereum-optimism/optimism/blob/382d38b7d45bcbf73cb5e1e3f28cbd45d24e8a59/packages/contracts-bedrock/contracts/L1/L1ERC721Bridge.sol#L77

Vulnerability details

Impact

Loss of airdropped Token or NFT in NFT Bridge and Token Bridge

Proof of Concept

Contract L1ERC721Bridge is for bridging NFTs from L1 to L2 and it holds all the bridged NFTs.

Most of the NFT projects would airdrop new NFTs for previous owners or drop ERC20 token based either by sending the new NFTs to holders address or by allowing the holder to call a function and receive the airdrop.

There is no functionality to handle airdropped NFTs in the NFT bridge. users would lose pushed airdrops and they would be locked in the bridge. and for pull airdrops users need to bridge NFT from L2 and then call airdrop function.

the impact is

if a project send NFTs directly to token holders then contract L1ERC721Bridge would receive those NFTs and because there is no functionality in the code to withdraw them (by owner of the old NFT or by admin) so those NFTs would be locked in contract forever.
as L1ERC721Bridge is going the be standard NFT bridge between two network so it's going to have a lot of NFT and a lot of airdrops would be locked in it and a lot of users would lose their airdropped NFT.
if a project airdrop new NFTs by allowing holders to call getAirdrop() then users would need to bridge back NFTs from L2 to L1 to receive their airdrops and then bridge NFT back to the L2 and users would need to pay extra gas for multiple transactions.