First Flight #12: Kitty Connect
First Flight #12: Kitty Connect
Beginner FriendlyFoundryNFTGameFi
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

`bridgeNftWithData` function can be call by anyOne which can leads to mint multiple NFTs by not burning the previous chain NFTs

naman1729

Summary

  • bridgeNftWithData function can be call by anyOne which can leads to mint multiple NFTs by not burning the previous chain NFTs

Vulnerability Details

  • This function bridgeNftWithData can be called by anyone which can leads to mint multiple NFTs in multiple chains

  • By calling this function burning of Nft in source chain does not happen

function bridgeNftWithData(uint64 _destinationChainSelector, address _receiver, bytes memory _data)
external
onlyAllowlistedDestinationChain(_destinationChainSelector)
validateReceiver(_receiver)
returns (bytes32 messageId)
{
// Create an EVM2AnyMessage struct in memory with necessary information for sending a cross-chain message
Client.EVM2AnyMessage memory evm2AnyMessage = _buildCCIPMessage(_receiver, _data, address(s_linkToken));
// Initialize a router client instance to interact with cross-chain router
IRouterClient router = IRouterClient(this.getRouter());
// Get the fee required to send the CCIP message
uint256 fees = router.getFee(_destinationChainSelector, evm2AnyMessage);
if (fees > s_linkToken.balanceOf(address(this))) {
revert KittyBridge__NotEnoughBalance(s_linkToken.balanceOf(address(this)), fees);
}
messageId = router.ccipSend(_destinationChainSelector, evm2AnyMessage);
emit MessageSent(messageId, _destinationChainSelector, _receiver, _data, address(s_linkToken), fees);
return messageId;
}

POC

  • This function bridgeNftWithData can be called by anyone

  • An attacker avoid to call bridgeNftToAnotherChain function which burning the NFT in source chain and directly call bridgeNftWithData function

  • By calling this function attacker can mint multiple NFTs in multiple chains

  • To avoid these activity we need to add a modifier onlyKittyConnect to restrict the bridgeNftWithData function to be called by only KittyConnect contract.

Impact

  • A malicious user can mint multiple NFTs in multiple chains by calling bridgeNftWithData function.

Tools Used

  • Manual review

Recommendations

  • Here is the updated code with the modifier onlyKittyConnect to restrict the function to be called by only KittyConnect contract.

function bridgeNftWithData(uint64 _destinationChainSelector, address _receiver, bytes memory _data)
external
+ onlyKittyConnect
onlyAllowlistedDestinationChain(_destinationChainSelector)
validateReceiver(_receiver)
returns (bytes32 messageId)
{
// Create an EVM2AnyMessage struct in memory with necessary information for sending a cross-chain message
Client.EVM2AnyMessage memory evm2AnyMessage = _buildCCIPMessage(_receiver, _data, address(s_linkToken));
// Initialize a router client instance to interact with cross-chain router
IRouterClient router = IRouterClient(this.getRouter());
// Get the fee required to send the CCIP message
uint256 fees = router.getFee(_destinationChainSelector, evm2AnyMessage);
if (fees > s_linkToken.balanceOf(address(this))) {
revert KittyBridge__NotEnoughBalance(s_linkToken.balanceOf(address(this)), fees);
}
messageId = router.ccipSend(_destinationChainSelector, evm2AnyMessage);
emit MessageSent(messageId, _destinationChainSelector, _receiver, _data, address(s_linkToken), fees);
return messageId;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

`bridgeNftWithData` misses access control

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.