Skip to content
This repository was archived by the owner on Mar 30, 2025. It is now read-only.
This repository was archived by the owner on Mar 30, 2025. It is now read-only.

Satanic_angel - requestERC20() function in L1GatewayRouter would ideally never be called thus leading to DoS #239

Open
Open
Satanic_angel - requestERC20() function in L1GatewayRouter would ideally never be called thus leading to DoS#239
@sherlock-admin3

Description

@sherlock-admin3
sherlock-admin3
opened on Sep 23, 2024

Satanic_angel

Medium

requestERC20() function in L1GatewayRouter would ideally never be called thus leading to DoS

Summary

The onlyInContext check in L1GatewayRouter.sol file checks the _msgSender against the L1GatewayRouter.sol::gatewayInContext variable which is always address(0) by default thus making the function unusable.

Root Cause

Invalid checking of msgSender and L1GatewayRouter::gatewayInContext variables leads to never allowing the sender to enter the function in no context.

    modifier onlyInContext() {
        require(_msgSender() == gatewayInContext, "Only in deposit context");
        _;
    }

One invoking function scope is

        if (router == _sender) {
            // Extract real sender if this call is from L1GatewayRouter.
            (_from, _data) = abi.decode(_data, (address, bytes));
            _amount = IL2GatewayRouter(_sender).requestERC20(_from, _token, _amount);
        }

in the L2ReverseCustomGateway.sol:_transferERC20In method

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

Leading to unsuable bridging of ERC20 tokens from L1 to L2

PoC

No response

Mitigation

Use the onlyNotInContext modifer instead of onlyInContext

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions