Summary
Function bridgeNftWithData
doesn't have access control checks and can be called by anyone.
Impact
High
PoC
function test_bridgeNftWithDataShouldRevertIfCalledByNotKittyConnect() public {
uint64 chainId = 1;
bytes memory data = abi.encode(makeAddr("catOwner"), "meowdy", "ragdoll", "ipfs://QmbxwGgBGrNdXPm84kqYskmcMT3jrzBN8LzQjixvkz4c62", block.timestamp, partnerA);
vm.prank(kittyConnectOwner);
kittyBridge.allowlistDestinationChain(chainId, true);
address maliciousUser = makeAddr("maliciousUser");
vm.prank(maliciousUser);
vm.expectRevert();
kittyBridge.bridgeNftWithData(chainId, maliciousUser, data);
}
Recommendations
Check the function caller by using a onlyKittyConnect
modifier defined in KittyBridgeBase.sol on the bridgeNftWithData
function.
function bridgeNftWithData(uint64 _destinationChainSelector, address _receiver, bytes memory _data)
external
onlyAllowlistedDestinationChain(_destinationChainSelector)
validateReceiver(_receiver)
+ onlyKittyConnect()
returns (bytes32 messageId)
{