test(integration): withdrawing a fake L2 token

[maurelian]

Description

Adds an integration test demonstrating that a commonly perceived vulnerability does not in fact exist.

Specifically, there appears to an obvious bug which would allow an attacker to withdraw a fake ERC20 token from L2 in exchange for a real ERC20 (such as WBTC) token on L1. There is no check in the L2StandardBridge, however the withdrawal is prevented from finalizing by a check in the L1StandardBridge.

[changeset-bot]

🦋 Changeset detected

Latest commit: 0293749

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@eth-optimism/integration-tests	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[tynes]

Can you add a changeset for the integration tests?

[maurelian]

Ideally I would assert that this transaction does not emit an ERC20WithdrawalFinalized event, but I did not see a logs field on the remoteTx object which this returns.

It's been a while since I've worked with the cross-domain testing utils, am I missing something?

[codecov-commenter]

Codecov Report

Merging #2061 (71ddfa7) into develop (eb926e2) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff            @@
##           develop    #2061   +/-   ##
========================================
  Coverage    74.58%   74.58%           
========================================
  Files           79       79           
  Lines         2554     2554           
  Branches       401      401           
========================================
  Hits          1905     1905           
  Misses         649      649           

Flag	Coverage Δ
batch-submitter	62.50% <ø> (ø)
contracts	90.48% <ø> (ø)
core-utils	57.50% <ø> (ø)
data-transport-layer	38.64% <ø> (ø)
message-relayer	70.86% <ø> (ø)
sdk	88.38% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
packages/core-utils/src/bn.ts	100.00% <0.00%> (ø)
packages/core-utils/src/fees.ts	52.94% <0.00%> (ø)
packages/core-utils/src/alias.ts	81.81% <0.00%> (ø)
packages/sdk/src/utils/coercion.ts	88.46% <0.00%> (ø)
packages/sdk/src/utils/contracts.ts	93.33% <0.00%> (ø)
packages/sdk/src/cross-chain-provider.ts	82.67% <0.00%> (ø)
packages/sdk/src/utils/message-encoding.ts	100.00% <0.00%> (ø)
packages/core-utils/src/common/test-utils.ts	95.55% <0.00%> (ø)
packages/core-utils/src/coders/sequencer-batch.ts	100.00% <0.00%> (ø)
...kages/data-transport-layer/src/utils/validation.ts	10.71% <0.00%> (ø)
... and 6 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update eb926e2...71ddfa7. Read the comment docs.

[maurelian]

@elenadimitrova I've requested your review as this test implements the bridge withdrawal bug which we've received several false positive reports on.