Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

Latest commit

 

History

History
49 lines (33 loc) · 1.38 KB

083.md

File metadata and controls

49 lines (33 loc) · 1.38 KB
Raw

0xdeadbeef

medium

OptimismPortal does not prevent contracts from depositing funds directly to it

Summary

OptimismPortal has a feature that helps EOAs to easily transfer funds to L2 by just transferring ETH to the contract. EOAs can directly transfer funds to OptimismPortal to receive it in L2. It mentions in the document that if contracts will transfer funds to the contract, it will be lost due to aliasing.

There is no enforcement on implementation to validate that only EOA has called the receive function.

Vulnerability Detail

The receive function in OptimismPortal does not enforce EOA calls only.

    receive() external payable {
        depositTransaction(msg.sender, msg.value, RECEIVE_DEFAULT_GAS_LIMIT, false, bytes(""));
    }

Contracts should be prevented from calling this function

Impact

Contracts/smart wallets/vaults depositing directly to OptimismPortal will lose their funds

Code Snippet

https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/L1/OptimismPortal.sol#L140-L142

Tool used

Manual Review

Recommendation

Consider adding the following modifier to the receive function

    modifier onlyEOA() {
        require(
            !Address.isContract(msg.sender),
            "OptimismPortal: function can only be called from an EOA"
        );
        _;
    }