Arabadzhiev - Assets bridged using the `BridgeRelay` contract will be lost forever

[sherlock-admin2]

Arabadzhiev

high

Assets bridged using the BridgeRelay contract will be lost forever

Summary

The BridgeRelay contract bridges assets to the same address as its own one on the child chain, making them permanently inaccessible

Vulnerability Detail

The BridgeRelay::bridgeTransfer is implemented in such a way that it always passes in its contract address as the first function argument to the depositFor and depositEtherFor function calls being made to the Polygon PoS Bridge. However, this is not correct, since this is actually the address that will receive the bridged assets on Polygon, as it can be seen in the RootChainManager implementation. What this effectively means is that once the assets are bridged, they will become lost forever. Even if a BridgeRelay contract with the same address as the one on Mainnet is managed to be deployed on Polygon, the assets will still be irrecoverable, since the contract does not have any logic for the withdrawal of funds (apart from the erc20Rescue function that lets the owner recover MATIC stuck within the contract, which will also not work, as the MATIC address is different on Polygon).

Impact

Assets bridged using the BridgeRelay contract will be lost forever

Code Snippet

BridgeRelay.sol#L58 BridgeRelay.sol#L77

Tool used

Manual Review

Recommendation

Either add a variable/constant at the contract level that can only be set by the owner, which specifies the proper address that all bridged assets will be sent to, or add a function argument to bridgeTransfer that lets callers specify the exact address that they want to bridge to

[sherlock-admin4]

1 comment(s) were left on this issue during the judging contest.

WangAudit commented:

but it should work correctly in the current implementation; no?