n4nika - The arbitrary calls in the cross-comain messengers allow anyone to drain them

[sherlock-admin2]

n4nika

High

The arbitrary calls in the cross-comain messengers allow anyone to drain them

Summary

Both cross-comain messengers can be drained due to them making arbitrary calls.

Root Cause

Any user can send messages from L1 -> L2 and vice-versa, on L2 these messages are executed by the L2CrossDomainMessenger, in the _executeMessage function. There the message is passed to a call with a destination which is only restricted to not be address(this) or L2_TO_L1_MESSAGE_PASSER.

function _executeMessage(
    address _from,
    address _to,
    uint256 _value,
    bytes memory _message,
    bytes32 _xDomainCalldataHash
) internal {
    // [...]
    (bool success, ) = _to.call{value: _value}(_message);
    // [...]
}

In the L1CrossDomainMessenger, the arbitrary call is made in proveAndRelayMessage.

function proveAndRelayMessage(
    address _from,
    address _to,
    uint256 _value,
    uint256 _nonce,
    bytes memory _message,
    bytes32[32] calldata _withdrawalProof,
    bytes32 _withdrawalRoot
) external override whenNotPaused notInExecution {
    // [...]
    (bool success, ) = _to.call{value: _value}(_message);
    // [...]
}

Internal pre-conditions

None

External pre-conditions

None

Attack Path

• User makes cross-chain call from L1 -> L2 or L2 -> L1, specifying a message by encoding for example token.approve(address(attacker), type(uint256.max))
• This will then be executed by the either the L1 or L2 messenger
• User can now transfer tokens out of the messenger

Impact

Attacker can drain all funds from both messengers.

PoC

No response

Mitigation

No response