Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Bracket Fi Escrow>Medium findings>Allowance given to incorrect address
GeneralOverview
Findings
Critical (1)
High (1)
Medium (2)Nonpayable `bridgeTokenArb` functionAllowance given to incorrect address
Low (1)
DiscussionMultiple Merkle tree leaves
Threat ModelWhat are threat models?BridgeEscrow.solEscrowBase.solMainEscrow.sol
Audit ResultsSummary
Category: Coding Mistakes

Allowance given to incorrect address

Medium Severity
Medium Impact
High Likelihood

Description

The function bridgeTokenArb first increases the allowance of bridgeRouter by the value amount and then calls outboundTransferCustomRefund to start the bridging of the tokens. 

function bridgeTokenArb(address token, address arbEscrow, uint256 amount, uint256 maxGas, uint256 gasPrice)
    external
    onlyOwner
    onlyBroke
{
    IERC20(token).safeIncreaseAllowance(address(bridgeRouter), amount);
    bridgeRouter.outboundTransferCustomRefund(token, msg.sender, arbEscrow, amount, maxGas, gasPrice, bytes(""));
}

As per the Arbitrum Docs, the approval of the tokens should be given to the L1ERC20Gateway and not the IL1GatewayRouter (or bridgeRouter) contract.

The correct address of the L1ERC20Gateway could be retrieved by calling the method getGateway function in the IL1GatewayRouter contract.

Impact

Bridging of tokens will fail due to the incorrect allowance.

Recommendations

We recommend calling safeIncreaseAllowance on the correct contract address. The correct address can be retrieved by calling getGateway as mentioned above.

Remediation

This issue has been acknowledged by Bracket Labs Group SA, and a fix was implemented in commit 9d8ba151.

Zellic © 2024Back to top ↑