Rewards - Bug Bounties
Logic error with postUgradeInit function allowing the exploiter to set his own bridge deposit address
Days in Operation:
0xRiptide, a solidity whitehat, reported a bug bounty to ImmuneFi where he was paid 400 ETH, approx. $538k as of reported date.
The DelayedInbox contract uses a standard TransparentUpgradeableProxy pattern with a public initialize() function. This function includes an initializer modifier which in turn checks the first two storage slots on the proxy to see if the contract has already been initialized or is currently being initialized. However … pulling up etherscan showed that the bridge was set correctly but the sequencerInbox was uninitialized.
As it turns out the postUpgradeInit function wipes slots 0,1 & 2 and sets the bridge and allowListEnabled slots to new values — but leaves sequencerInbox and the two booleans set by the intializer modifier empty! At this point we can call the public initialize() function and set our own address as the bridge to accept all incoming ETH deposits
DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.
Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.