Description

The initialize function in L1StandardBridge is not using the initializer modifier but instead uses messenger to verify if the function has already been initialized or not. If this contract is accidently initialized with messenger set to address(0), an attacker can reinitialize the contract and thus steal tokens from the contract using the withdrawal functions.

function initialize(address _l1messenger, address _l2TokenBridge, address _l1MantleAddress) public {
    require(messenger == address(0), "Contract has already been initialized.");
    messenger = _l1messenger;
    l2TokenBridge = _l2TokenBridge;
    l1MantleAddress = _l1MantleAddress;
}

Impact

If there are any tokens in the contract and the messenger is set to address(0), an attacker can steal those tokens from the contract.

Recommendations

Use the initializer modifier, or in the initialize function, revert the transaction if any parameter is address(0).

Remediation

This issue has been acknowledged by Mantle Network, and a fix was implemented in commit a53dd956↗.