Closed c4-bot-2 closed 2 months ago
Invalid. Non standard implementations of ERC20 are not allowed.
saxenism (sponsor) disputed
The Warden specifies that a malicious token implementation can compromise the L1ERC20Bridge
contract's operations, however, it does not clarify in this regard.
The PoC provided is invalid as the FeeOnTransferToken::approve
operation would have a msg.sender
of the contract itself rather than the caller. As such, I consider this exhibit to be invalid.
alex-ppg marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-zksync/blob/main/code/contracts/ethereum/contracts/bridge/L1ERC20Bridge.sol#L162 https://github.com/code-423n4/2024-03-zksync/blob/main/code/contracts/ethereum/contracts/bridge/L1ERC20Bridge.sol#L135
Vulnerability details
Impact
Proof of Concept
A Malicious User can inject bad code using an arbitrary token with bad code called in the _transfer function.
For a rough example a bad token like below could be used on the bridge successfully.
Tools Used
Manual Review
Recommended Mitigation Steps
Assessed type
ERC20