search

sherlock-audit / 2023-01-optimism-judging

24 stars 10 forks source link

0xWeiss - [M-02] Gas grieffing attack while bridging NFT #289

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

0xWeiss

medium

[M-02] Gas grieffing attack while bridging NFT

Summary

In https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/L1/L1ERC721Bridge.sol#L68

the external call:

           IERC721(_localToken).safeTransferFrom(address(this), _to, _tokenId);

it is vulnerable to a gas grieffing attack because the _to address is not always a trusted receiver.

Vulnerability Detail

Case where it is vulnerable: The bridging functionality is used by whatever project/protocol. So, there is a intermediary. And they trigger the calls for the users in their platform passing the _to address as the user address that he inputs.

The address, is a smart contract that has a onERC721Received function that loads lot of data in memory. So, the transaction will be much higher in gas cost for the intermediary.

Impact

Theft of gas/increase gas cost for protocols/intermediaries

Code Snippet

https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/L1/L1ERC721Bridge.sol?plain=1#L68

Tool used

Manual Review

Recommendation

Add some limite\ to the gas that can be used in the external call.

rcstanciu commented 1 year ago

Comment from Optimism

Description: L1ERC721Bridge safeTransferFrom can have a malicious _to that consumes gas on receive callback.

Reason: This is not in the scope of the audit. The bridge user specifies the destination _to parameter and this functions as expected. If there is an unsafe receive hook it is not in the scope of this audit and is subject to the user's discretion when entering the destination param.