Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

lemonmon - contract with only IOptimismMintableERC20 interface is not compatible with StandardBridge #220

Open
github-actions bot opened this issue Feb 20, 2023 · 0 comments
Open

lemonmon - contract with only IOptimismMintableERC20 interface is not compatible with StandardBridge #220

github-actions bot opened this issue Feb 20, 2023 · 0 comments
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A valid Medium severity issue Reward A payout will be made for this issue

Comments

@github-actions
Copy link

lemonmon

informational

contract with only IOptimismMintableERC20 interface is not compatible with StandardBridge

Summary

If a custom contract implements only the IOptimismMintableERC20, but no the ILegacyMintableERC20, the contract is not compatible with the StandardBridge, as the bridge uses the l1Token function from the legacy interface

Vulnerability Detail

The comment in the IOptimismMintableERC20 suggests that one can make a custom implementation of OptimismMintableERC20 using the interface IOptimismMintableERC20.

https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/universal/IOptimismMintableERC20.sol#L8-L10

Also, the StandardBridge, which uses the OptimismMintableERC20 has _isOptimismMintableERC20 function, which checks whether the given token address is implementing OptimismMintableERC20. The function will be true if either of ILegacyMintableERC20 or IOptimismMintableERC20 is implemented. it means that if a token implements only one of the interfaces, it will return true.

https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/universal/StandardBridge.sol#L446-L450

However, if the given token passes the _isOptimismMintableERC20, the legacy function l1Token will be called on the token. If the token does not implement the legacy interface, the call will fail.

https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/L2/L2StandardBridge.sol#L170

Therefore, the token which only implements IOptimismMintableERC20, but not the ILegacyMintableERC20, is not compatible with StandardBridge.

Impact

Any custom contract without l1Token function will not be compatible with StandardBridge

Code Snippet

https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/universal/IOptimismMintableERC20.sol#L8-L10

https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/universal/StandardBridge.sol#L446-L450

https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/L2/L2StandardBridge.sol#L170

Tool used

Manual Review

Recommendation

It is unclear it is intended behavior.
If the _isOptimismMintableERC20 function returns true only when the both of interfaces are implemented, the token with only the IOptimismMintableERC20 will be treated as if they are not the optimism mintable function, without failing.
@github-actions github-actions bot added Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A valid Medium severity issue labels Feb 20, 2023
@github-actions github-actions bot mentioned this issue Feb 20, 2023
Closed
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Feb 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Has Duplicates A valid issue with 1+ other issues describing the same vulnerability Medium A valid Medium severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin