csanuragjain
low
On L1 to L2 transfer if msg.sender is a contract then funds are minted to alias of the contract on L2 side. If the alias happen to be an existing contract on L2 then
-
User deposits funds to L2 using a contract C1. User uses depositTransaction function
-
Since sender is contract so an alias is used for the "from" address
address from = msg.sender;
if (msg.sender != tx.origin) {
from = AddressAliasHelper.applyL1ToL2Alias(msg.sender);
}-
Now lets say this alias was C2 and a contract actually existed at C2 which transfer all eth received
-
The deposit transaction mints "from" alias address with the ETH. Since alias is C2 so funds goes to C2 which immediately wipes it
-
Since C2 does not have funds so User transaction fails.
-
Attacker has gained the eth sent from C1
Once funds are minted on alias attacker contract, the malicious contract can immediately wipe the eth balance. Thus user will lose funds
Manual Review
Check that alias of contract initiating the L1 transaction is not a contract on L2