First Flight #12: Kitty Connect

First Flight #12: Kitty Connect
Beginner FriendlyFoundryNFTGameFi
100 EXP
View results
Submission Details
Severity: high
Valid

Function `bridgeNftWithData` in **KittyBridge.sol** is public and allows anyone mint tokens on another chain.

Summary

Function bridgeNftWithData doesn't have access control checks and can be called by anyone.

Impact

High

PoC

function test_bridgeNftWithDataShouldRevertIfCalledByNotKittyConnect() public {
uint64 chainId = 1;
bytes memory data = abi.encode(makeAddr("catOwner"), "meowdy", "ragdoll", "ipfs://QmbxwGgBGrNdXPm84kqYskmcMT3jrzBN8LzQjixvkz4c62", block.timestamp, partnerA);
vm.prank(kittyConnectOwner);
kittyBridge.allowlistDestinationChain(chainId, true);
address maliciousUser = makeAddr("maliciousUser");
vm.prank(maliciousUser);
vm.expectRevert();
kittyBridge.bridgeNftWithData(chainId, maliciousUser, data);
}

Recommendations

Check the function caller by using a onlyKittyConnect modifier defined in KittyBridgeBase.sol on the bridgeNftWithData function.

function bridgeNftWithData(uint64 _destinationChainSelector, address _receiver, bytes memory _data)
external
onlyAllowlistedDestinationChain(_destinationChainSelector)
validateReceiver(_receiver)
+ onlyKittyConnect()
returns (bytes32 messageId)
{
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

`bridgeNftWithData` misses access control

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.