Platform: Code4rena
Start Date: 07/10/2022
Pot Size: $50,000 USDC
Total HM: 4
Participants: 62
Period: 5 days
Judge: 0xean
Total Solo HM: 2
Id: 169
League: ETH
Rank: 7/62
Findings: 1
Award: $1,752.93
🌟 Selected for report: 0
🚀 Solo Findings: 0
BridgeEscrow.approveAll allows a _spender to transfer all the GRT stored in BridgeEscrow.
While this function is meant to be used as an escape hatch - by using a Merkle proof contract to reclaim funds based on an L2 snapshot, it still constitutes a potential rugging vector that can grieve users that have bridged their GRT to Arbitrum.
Medium
GRT to L2BridgeEscrow.approveAll(Recipient), recipient being a malicious EOA/SCrecipient steals all the GRT in BridgeEscrow.Manual Analysis
A timelock system would be complicated to design because of Arbitrum's dispute period. A safer option is to have an emergency withdrawal using a "pull" pattern to allow users to reclaim funds themselves. You can combine it with the Merkle Proof snapshot detailed in the specs.
#0 - trust1995
2022-10-16T00:12:46Z
Seems to be an issue the project is aware of.
#1 - 0xean
2022-10-16T13:44:48Z
dupe of #40