Missing access control in `KittyBridge::bridgeNftWithData`
Summary
KittyBridge::bridgeNftWithData does not have adequate access control, and, consequently, anyone at any time can call this function.
Vulnerability Details
KittyBridge::bridgeNftWithData is supposed to send the encoded NFT data for bridging an NFT from one chain to another. As such, it is supposed to be called only during the bridging process, and only from within KittyConnect::bridgeNftToAnotherChain. However, bridgeNftWithData() lacks the access control neccessary to enforce this and, as a result, anyone at anytime can call this function.
Impact
Anyone, at any time, can call KittyBridge::bridgeNftWithData with an arbitrary (and arbitrarily large) payload. Since sending a message via
entails paying execution fees for the message to Chainlink, an attacker could drain the LINK balance of the KittyBridge contract (that is, provided that another bug is fixed before this one, and KittyBridge approves the router to spend its LINK).
(The impact is contained at this level, since the next step of the bridging process is receipt on the destination chain, and fortunately KittyBridge::_ccipReceive` accepts messages only from allowlisted senders.)
Tools Used
Manual review, Foundry.
Recommendations
Add access control to KittyBridge::bridgeNftWithData:
Lead Judging Commences
`bridgeNftWithData` misses access control
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.