Assessment reports>Astria Bridge>High findings>Withdrawal event could be reused by bridge admin
Category: Coding Mistakes

Withdrawal event could be reused by bridge admin

High Severity
Medium Impact
Low Likelihood

Description

In astria-bridge-withdrawer, bridge address and withdrawer address have permissions to withdraw assets from the bridge.

Both bridge address and withdrawer address could execute CollectWithdrawals and SubmitWithdrawals using astria-cli to withdraw assets from the bridge.

But there is no marking or validation to check that the withdrawal has already been spent. This means that the withdrawal event could potentially be reused by the bridge admin to withdraw assets from the bridge multiple times.

Impact

If the private key of the bridge address or withdrawer address is compromised, an attacker could unlock and withdraw assets from the bridge repeatedly using the same withdrawal event. This may lead to a loss of user funds.

Recommendations

Ensure that the withdrawal event is marked or validated to prevent the reuse of the withdrawal event in the bridge withdrawer.

Remediation

Zellic © 2025Back to top ↑