Closed sherlock-admin4 closed 8 months ago
1 comment(s) were left on this issue during the judging contest.
WangAudit commented:
sounds vague and team actually confirmed they did it on purpose; since issue is based on just assumption on who controls that address on Polygon is not enough
Ironsidesec
high
Bridged tokens cannot be handled on the child chain
Summary
The tokens or Ether bridged to Polygon POS chain are lost due to the lack of the handling because the bridge to
user
address on polygon is same as mainnet bridge relay contract which cant transfer tokens or some EOA which can be owned by someone.Vulnerability Detail
Using Bridge relay contract, anyone can call transferERCToBridge and the balance of the contract will be bridged and transfered to the same contract address on Polygon, because the
user
param is usingaddress(this)
as shown above. So, to handle the bridged tokens on child chain (polygon), theuser
address should either be a contract / EOA / safe wallet,Team says that discord proof
interacting with the bridge and transfering tokens is essentially the soul purpse of the contract. The reason we use address(this) is because the tokens have been deposited on that address on the mainnet and we need them at that same address on polygon
So, contract ahs to be same address on both chains, but Bridge relay contract lacks token transfer actions.
Now look at the below possiblilities
So, the main issue is, the tokens bridged are lost forever. Look at the recommendation section
Impact
The tokens bridged from Ethereum to Polygon cannot be transferred or handled by user/owner.
Code Snippet
https://github.com/sherlock-audit/2024-02-telcoin-platform-audit-update/blob/21920190e0772afa18e7f856a036fea3ef5b9635/telcoin-contracts/contracts/bridge/BridgeRelay.sol#L67-L81
Tool used
Manual Review
Recommendation
Modify
BridgeRelay
contract to handle transferring tokens with access control