onlyEOA modifier only checks that account.code.length == 0; Users can still bypass this modifier if they send ETH directly from the constructor which could be vulnerable to reentrancy.
Configuration
Severity: informational
Impact
user looping inside the receive function to call _initiateBridgeETH multiple time.
Update: In deposit flows, L1StandardBridge always call L1CrossDomainMessenger and L1CrossDomainMessenger always call OptimismPortal, so that there is no possible reentrancy attack in depositing.
Describe the bug in L1StandardBridge, users are allowed to send ETH to the contract to receive WETH on L2.
onlyEOA modifier only checks that
account.code.length == 0;
Users can still bypass this modifier if they send ETH directly from the constructor which could be vulnerable to reentrancy.Configuration
Impact user looping inside the receive function to call _initiateBridgeETH multiple time.
Recommendation adding conditions such as
Exploit Scenario
Demo