Open sherlock-admin3 opened 3 weeks ago
speedy78214
Medium
L1StandardBridge
ETH
Improper initialization of L1StandardBridge will result in failure of bridging ETH as messenger is not properly instantiated
messenger
L1StandardBridge.sol: 112
initialize
_messenger
CrossDomainMessenger(address(0))
L1StandardBridge.sol: 145
_initiateBridgeETH
messenger.sendMessage
L1StandardBridge.sol: 249
CrossDomainMessenger.sol:181
sendMessage
_sendMessage
CrossDomainMessenger.sol:382
L1CrossDomainMessenger
No response
EOA
The users will not able to bridge ETH until other assets are not bridged
Add the following test case to tokamak-thanos/packages/tokamak/contracts-bedrock/test/L1/L1StandardBridge.t.sol:L1StandardBridge_Receive_Test.
tokamak-thanos/packages/tokamak/contracts-bedrock/test/L1/L1StandardBridge.t.sol:L1StandardBridge_Receive_Test
function test_deposit_eth_after_constructor() external virtual { L1StandardBridge impl = L1StandardBridge(deploy.mustGetAddress("L1StandardBridge")); (address alice, ) = makeAddrAndKey("alice"); vm.deal(alice, 1 ether); vm.startPrank(alice); (bool success,) = address(impl).call{ value: 0.1 ether }(hex""); assertEq(success, true); vm.stopPrank(); }
Inside L1StandardBridge.sol:_initiateBridgeETH, L1CrossDomainMessenger(address(messenger)).sendMessage should be used instead of messenger.sendMessage
L1StandardBridge.sol:_initiateBridgeETH
L1CrossDomainMessenger(address(messenger)).sendMessage
function _initiateBridgeETH( address _from, address _to, uint256 _amount, uint32 _minGasLimit, bytes memory _extraData ) internal override { ... - messenger.sendMessage( + L1CrossDomainMessenger(address(messenger)).sendMessage( }
speedy78214
Medium
Improper initialization of
L1StandardBridge
will disable bridgingETH
until at least one other asset is bridgedSummary
Improper initialization of
L1StandardBridge
will result in failure of bridging ETH asmessenger
is not properly instantiatedRoot Cause
L1StandardBridge.sol: 112
,initialize
function is called with_messenger
asCrossDomainMessenger(address(0))
.L1StandardBridge.sol: 145
, ETH transfer results in ETH bridge initiation by calling_initiateBridgeETH
._initiateBridgeETH
function, ETH bridge is initiated by sending message usingmessenger.sendMessage
(L1StandardBridge.sol: 249
)CrossDomainMessenger.sol:181
,sendMessage
function will call_sendMessage
, which is a virtual function (CrossDomainMessenger.sol:382
).messenger
is not initialized as aL1CrossDomainMessenger
with constructor,sendMessage
will eventually failsInternal pre-conditions
L1StandardBridge
External pre-conditions
No response
Attack Path
L1StandardBridge
is deployed and instantiatedEOA
s transfer ETH to bridge viaL1StandardBridge
.L1StandardBridge
Impact
The users will not able to bridge ETH until other assets are not bridged
PoC
Add the following test case to
tokamak-thanos/packages/tokamak/contracts-bedrock/test/L1/L1StandardBridge.t.sol:L1StandardBridge_Receive_Test
.Mitigation
Inside
L1StandardBridge.sol:_initiateBridgeETH
,L1CrossDomainMessenger(address(messenger)).sendMessage
should be used instead ofmessenger.sendMessage