Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Satanic_angel - requestERC20() function in L1GatewayRouter would ideally never be called thus leading to DoS #239

Open
sherlock-admin3 opened this issue Sep 23, 2024 · 0 comments
Open

Satanic_angel - requestERC20() function in L1GatewayRouter would ideally never be called thus leading to DoS #239

sherlock-admin3 opened this issue Sep 23, 2024 · 0 comments

Comments

@sherlock-admin3
Copy link

sherlock-admin3 commented Sep 23, 2024
edited
Loading

Satanic_angel

Medium

requestERC20() function in L1GatewayRouter would ideally never be called thus leading to DoS

Summary

The onlyInContext check in L1GatewayRouter.sol file checks the _msgSender against the L1GatewayRouter.sol::gatewayInContext variable which is always address(0) by default thus making the function unusable.

Root Cause

Invalid checking of msgSender and L1GatewayRouter::gatewayInContext variables leads to never allowing the sender to enter the function in no context.

    modifier onlyInContext() {
        require(_msgSender() == gatewayInContext, "Only in deposit context");
        _;
    }

One invoking function scope is

        if (router == _sender) {
            // Extract real sender if this call is from L1GatewayRouter.
            (_from, _data) = abi.decode(_data, (address, bytes));
            _amount = IL2GatewayRouter(_sender).requestERC20(_from, _token, _amount);
        }

in the L2ReverseCustomGateway.sol:_transferERC20In method

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

Leading to unsuable bridging of ERC20 tokens from L1 to L2

PoC

No response

Mitigation

Use the onlyNotInContext modifer instead of onlyInContext
@sherlock-admin3 sherlock-admin3 changed the title Teeny Pastel Sawfish - requestERC20() function in L1GatewayRouter would ideally never be called thus leading to DoS Satanic_angel - requestERC20() function in L1GatewayRouter would ideally never be called thus leading to DoS Oct 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin3