Closed github-actions[bot] closed 1 year ago
Comment from Optimism
Description: L1ERC721Bridge safeTransferFrom can have a malicious _to that consumes gas on receive callback.
Reason: This is not in the scope of the audit. The bridge user specifies the destination _to parameter and this functions as expected. If there is an unsafe receive hook it is not in the scope of this audit and is subject to the user's discretion when entering the destination param.
0xWeiss
medium
[M-02] Gas grieffing attack while bridging NFT
Summary
In https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/L1/L1ERC721Bridge.sol#L68
the external call:
it is vulnerable to a gas grieffing attack because the _to address is not always a trusted receiver.
Vulnerability Detail
Case where it is vulnerable: The bridging functionality is used by whatever project/protocol. So, there is a intermediary. And they trigger the calls for the users in their platform passing the _to address as the user address that he inputs.
The address, is a smart contract that has a onERC721Received function that loads lot of data in memory. So, the transaction will be much higher in gas cost for the intermediary.
Impact
Theft of gas/increase gas cost for protocols/intermediaries
Code Snippet
https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/L1/L1ERC721Bridge.sol?plain=1#L68
Tool used
Manual Review
Recommendation
Add some limite\ to the gas that can be used in the external call.