Platform: Code4rena
Start Date: 01/12/2022
Pot Size: $26,900 USDC
Total HM: 3
Participants: 19
Period: 4 days
Judge: GalloDaSballo
Id: 188
League: ETH
Rank: 6/19
Findings: 1
Award: $1,309.61
š Selected for report: 0
š Solo Findings: 0
1309.6144 USDC - $1,309.61
Judge has assessed an item in Issue #187 as M risk. The relevant finding follows:
[Lā02] EthereumToArbitrumRelayer.processCalls() does not check msg.sender is a contract The Arbitrum relay processCalls is intended to be called by EOA, as specified in the docs:
Arbitrum requires an EOA to submit a bridge transaction. But the function does not actually perform any check to ensure msg.sender is an EOA.
This should be enforced not only because of what is specified in the docs, but also because a contract calling EthereumToArbitrumRelayer.processCalls() can lead to the gas refund being lost:
The excessFeeRefundAddress parameter of Arbitrum's Inbox.createRetryableTicket() gets credited with the gas refund - if there is any.
In the EthereumToArbitrumRelayer.processCalls() implementation, that parameter is set to be msg.sender.
The issue is that if the caller is a contract, the refund will then be transferred to the L2 alias of the msg.sender, which:
may not exist on Arbitrum may not have any withdrawal function In such case, the refund fee is lost.
Mitigation Add a msg.sender == tx.origin check in processCalls to ensure only EOAs can call the function.
#0 - c4-judge
2023-01-06T11:54:34Z
GalloDaSballo marked the issue as duplicate of #63
#1 - c4-judge
2023-01-06T11:55:22Z
GalloDaSballo marked the issue as satisfactory
#2 - c4-judge
2023-01-06T11:55:30Z
GalloDaSballo marked the issue as selected for report
#3 - c4-judge
2023-01-06T11:58:30Z
GalloDaSballo marked the issue as not selected for report