Albort - The unsafe token-to-validation process #82
Comments
sherlock-admin4
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
sherlock-admin4
changed the title
Albort
High
The unsafe token-to-validation process
Summary
In the _initiateBridgeERC20 function, for tokens that are not OptimismMintableERC20, the pairing relationship between _remoteToken and _localToken is not adequately validated. This may lead to the following issues:
Vulnerability Detail
• For non-OptimismMintableERC20 tokens, there is no verification to ensure that _localToken and _remoteToken are correctly paired.
• An attacker could provide an arbitrary _remoteToken address, causing the wrong token to be received on the target chain.
Impact
• Token Loss or Locking: Users may receive incorrect tokens on the target chain, leading to loss of tokens or making them unrecoverable.
• Fraudulent Transfers: Attackers could trick users into bridging tokens to a malicious token contract controlled by the attacker.
Code Snippet
https://github.com/sherlock-audit/2024-08-tokamak-network/blob/main/tokamak-thanos/packages/tokamak/contracts-bedrock/src/universal/StandardBridge.sol#L416
Tool used
Manual Review
Recommendation
Add validation to the _initiateBridgeERC20 function to verify the pairing relationship between _localToken and _remoteToken.
• Maintain a trusted token pair mapping, allowing only token pairs within the mapping to be bridged.
The text was updated successfully, but these errors were encountered: