zzykxx - Calling `depositTransaction()` on the optimism portal directly doesn't allow to replay transaction in case they fail

[sherlock-admin4]

zzykxx

High

Calling depositTransaction() on the optimism portal directly doesn't allow to replay transaction in case they fail

Summary

No response

Root Cause

To bridge assets from L1 to L2 using Moongate a user starts by calling crossTheThreshold()/crossTheThreshold1155, which calls depositTransaction() on the optimism portal directly.

Using the optimism portal directly doesn't allow transactions to be replayed:

@notice The OptimismPortal is a low-level contract responsible for passing messages between L1 and L2. Messages sent directly to the OptimismPortal have no form of replayability. Users are encouraged to use the L1CrossDomainMessenger for a higher-level interface.

This means that if the L2 transactions fail, NFTs will be stuck on the L1 InfernalRiftAbove contract, as there is no way to replay the transaction and no tokens are minted by InfernalRiftAbove. The L2 transaction can when:

• The specified gas limit is not enough, leading to the L2 transaction failing for an out-of-gas error
• One of the passed packages structures has the amounts parameter set to an empty array, which will revert here
• The royalty amount passed when a collection on L2 has not been deployed yet is bigger than 10000, which would fail when collections are initialized on the internal _setDefaultRoyalty() call.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

ERC721/ERC1155 tokens bridged via Moongate can get stuck in the L1 InfernalRiftAbove contract if the L2 transaction to InfernalRiftBelow::thresholdCross() fails.

PoC

No response

Mitigation

Use the L1CrossDomainMessenger contract to bridge assets.