When a user transfers an reSDL
NFT from a secondary chain back to the primary chain using RESDLTokenBridge
, the NFT is burned on the secondary before the tx
is sent to the primary chain.
If the cross-chain tx
fails, the user would have lost access on both chains - the NFT was burned on the secondary, but never minted on the primary.
The cross-chain transfer functionality enables users to move their reSDL NFTs between the primary and secondary chains using the RESDLTokenBridge contract.
This process relies on:
Burning the NFT on the source chain
Sending a CCIP message to mint a new NFT on the destination chain
This creates a vulnerability where a failed cross-chain transfer leads to permanent loss of access.
Some potential failure cases:
Blocked by frontrunning
CCIP tx reverts due to issues with extraArgs
Temporary network congestion
An attacker could manipulate conditions to increase the failure rate of cross-chain txs. For example:
Frontrun and manipulate the state to frequently revert
Craft malicious CCIP router to intermittently revert messages
Spam network to create congestion
By forcing failures, attacker could exploit users and cause loss of funds.
The root cause lies in burning tokens on one chain before the minting operation completes on the other chain. If the cross-chain transaction fails after burning the NFT, the user permanently loses access as the NFT no longer exists on either chain.
A failed cross-chain transfer can lead to irrecoverable locking of user tokens, causing permanent loss of access.
Here is the key section of RESDLTokenBridge.sol
that burns the NFT on the secondary chain before attempting the transfer: RESDLTokenBridge.sol#transferRESDL
As you can see, it first calls the burn
function of the SDLPool
to permanently destroy the NFT on the secondary chain.
After that, it builds the CCIP message and sends it cross-chain.
So if ccipSend
fails for any reason, the NFT has already been burned and is unrecoverable on that chain. That could lead to permanent loss of access for the user.
Manual Review
Implement retries with exponential backoff
Support withdrawal from minted NFT while in transit
Provide emergency user balance recovery
Adding failure handling logic would help minimize and contain the potential damage from disruptions.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.