Open sherlock-admin3 opened 3 weeks ago
speedy78214
Medium
L1StandardBridge
ETH
Improper initialization of L1StandardBridge will result in failure of bridging ETH as messenger is not properly instantiated
messenger
L1StandardBridge.sol: 112
initialize
_messenger
CrossDomainMessenger(address(0))
L1StandardBridge.sol: 145
_initiateBridgeETH
messenger.sendMessage
L1StandardBridge.sol: 249
CrossDomainMessenger.sol:181
sendMessage
_sendMessage
CrossDomainMessenger.sol:382
L1CrossDomainMessenger
No response
EOA
The users will not able to bridge ETH until other assets are not bridged
Add the following test case to tokamak-thanos/packages/tokamak/contracts-bedrock/test/L1/L1StandardBridge.t.sol:L1StandardBridge_Receive_Test.
tokamak-thanos/packages/tokamak/contracts-bedrock/test/L1/L1StandardBridge.t.sol:L1StandardBridge_Receive_Test
function test_deposit_eth_after_constructor() external virtual { L1StandardBridge impl = L1StandardBridge(deploy.mustGetAddress("L1StandardBridge")); (address alice, ) = makeAddrAndKey("alice"); vm.deal(alice, 1 ether); vm.startPrank(alice); (bool success,) = address(impl).call{ value: 0.1 ether }(hex""); assertEq(success, true); vm.stopPrank(); }
Inside L1StandardBridge.sol:_initiateBridgeETH, L1CrossDomainMessenger(address(messenger)).sendMessage should be used instead of messenger.sendMessage
L1StandardBridge.sol:_initiateBridgeETH
L1CrossDomainMessenger(address(messenger)).sendMessage
function _initiateBridgeETH( address _from, address _to, uint256 _amount, uint32 _minGasLimit, bytes memory _extraData ) internal override { ... - messenger.sendMessage( + L1CrossDomainMessenger(address(messenger)).sendMessage( }
speedy78214
Medium
Improper initialization of
L1StandardBridgewill disable bridgingETHuntil at least one other asset is bridgedSummary
Improper initialization of
L1StandardBridgewill result in failure of bridging ETH asmessengeris not properly instantiatedRoot Cause
L1StandardBridge.sol: 112,initializefunction is called with_messengerasCrossDomainMessenger(address(0)).L1StandardBridge.sol: 145, ETH transfer results in ETH bridge initiation by calling_initiateBridgeETH._initiateBridgeETHfunction, ETH bridge is initiated by sending message usingmessenger.sendMessage(L1StandardBridge.sol: 249)CrossDomainMessenger.sol:181,sendMessagefunction will call_sendMessage, which is a virtual function (CrossDomainMessenger.sol:382).messengeris not initialized as aL1CrossDomainMessengerwith constructor,sendMessagewill eventually failsInternal pre-conditions
L1StandardBridgeExternal pre-conditions
No response
Attack Path
L1StandardBridgeis deployed and instantiatedEOAs transfer ETH to bridge viaL1StandardBridge.L1StandardBridgeImpact
The users will not able to bridge ETH until other assets are not bridged
PoC
Add the following test case to
tokamak-thanos/packages/tokamak/contracts-bedrock/test/L1/L1StandardBridge.t.sol:L1StandardBridge_Receive_Test.Mitigation
Inside
L1StandardBridge.sol:_initiateBridgeETH,L1CrossDomainMessenger(address(messenger)).sendMessageshould be used instead ofmessenger.sendMessage