First Flight #12: Kitty Connect
First Flight #12: Kitty Connect
Beginner FriendlyFoundryNFTGameFi
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Mint Some NFT WIthout Burn on Source Chain No Access Control on KittyBridge::bridgeNftWithData

touqeershah32

Summary

Mint Some NFT WIthout Burn on Source Chain because No Access Control on KittyBridge::bridgeNftWithData it should be only call from KittyConnect::bridgeNftToAnotherChain but it is external which make it call from without call from KittyConnect.

Vulnerability Details

Attacker or User himself do following steps and mint some NFT again on destinations chain

  • Step call KittyConnect::getCatInfo get information which is required to call mintBridgedNFT

bytes memory data = abi.encode(catOwner, catInfo.catName, catInfo.breed, catInfo.image, catInfo.dob, catInfo.shopPartner);

  • Pay Fee To KittyBridge and pass data which he get from step 1 run it.

  • It ill not check anythin execpt the validateReceiver which check address not eqaul to zero and onlyAllowlistedDestinationChain then it run the transactions.

  • Then on destinations chain function call KittyConnect::mintBridgedNFT and Mint NFT for that User WIthout Burn it.

Impact

Lose NFT , or Duplicate NFT without.

Tools Used

Manual Review.

Recommendations

Add Access Control only KittyConnect::Address will Allow to call KittyBridge::bridgeNftWithData functions

function bridgeNftWithData(uint64 _destinationChainSelector, address _receiver, bytes memory _data)
external
onlyAllowlistedDestinationChain(_destinationChainSelector)
validateReceiver(_receiver)
+ onlyKittyConnect(msg.sender)
returns (bytes32 messageId)
{
......
}
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

`bridgeNftWithData` misses access control

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.