First Flight #12: Kitty Connect

First Flight #12: Kitty Connect
Beginner FriendlyFoundryNFTGameFi
100 EXP
View results
Submission Details
Severity: medium
Invalid

`KittyConnect.sol::bridgeNftToAnotherChain` is missing the `idx` data in the bridge message, breaking the protocol's purpose.

KittyConnect.sol::bridgeNftToAnotherChain is missing the idx data in the bridge message, breaking the protocol's purpose.

  • Description:

    • Store Cat information is the core of the Kitty protocol. Although, the KittyConnect.sol::bridgeNftToAnotherChain function fails to deliver it by excluding the parameter idx of the KittyConnect.sol::CatInfo struct.

  • Impact:

    • This not only breaks the protocol core but also private potential new owners and the current owner itself from clear information about your own asset.

    • As follows the function implementation, this info is already deleted from the storage. So, the information is also lost forever.

  • Proof of Concept:

    See the miss implementation below
    function bridgeNftToAnotherChain(uint64 destChainSelector, address destChainBridge, uint256 tokenId) external {
    address catOwner = _ownerOf(tokenId);
    require(msg.sender == catOwner);
    CatInfo memory catInfo = s_catInfo[tokenId];
    uint256 idx = catInfo.idx;
    //@audit-high missing information. The position on the cat ownership array is missing.
    @> bytes memory data = abi.encode(catOwner, catInfo.catName, catInfo.breed, catInfo.image, catInfo.dob, catInfo.shopPartner);
    _burn(tokenId);
    delete s_catInfo[tokenId];
    uint256[] memory userTokenIds = s_ownerToCatsTokenId[msg.sender];
    uint256 lastItem = userTokenIds[userTokenIds.length - 1];
    //@audit-high pop the last registry without check if it's the right cat.
    s_ownerToCatsTokenId[msg.sender].pop();
    if (idx < (userTokenIds.length - 1)) {
    s_ownerToCatsTokenId[msg.sender][idx] = lastItem;
    }
    emit NFTBridgeRequestSent(block.chainid, destChainSelector, destChainBridge, tokenId);
    i_kittyBridge.bridgeNftWithData(destChainSelector, destChainBridge, data);
    }
  • Recommendation:

    Adjust the code as follow
    function bridgeNftToAnotherChain(uint64 destChainSelector, address destChainBridge, uint256 tokenId) external {
    address catOwner = _ownerOf(tokenId);
    require(msg.sender == catOwner);
    CatInfo memory catInfo = s_catInfo[tokenId];
    uint256 idx = catInfo.idx;
    //@audit-high missing information. The position on the cat ownership array is missing.
    - bytes memory data = abi.encode(catOwner, catInfo.catName, catInfo.breed, catInfo.image, catInfo.dob, catInfo.shopPartner);
    + bytes memory data = abi.encode(catOwner, catInfo.catName, catInfo.breed, catInfo.image, catInfo.dob, catInfo.shopPartner, idx);
    _burn(tokenId);
    delete s_catInfo[tokenId];
    uint256[] memory userTokenIds = s_ownerToCatsTokenId[msg.sender];
    uint256 lastItem = userTokenIds[userTokenIds.length - 1];
    //@audit-high pop the last registry without check if it's the right cat.
    s_ownerToCatsTokenId[msg.sender].pop();
    if (idx < (userTokenIds.length - 1)) {
    s_ownerToCatsTokenId[msg.sender][idx] = lastItem;
    }
    emit NFTBridgeRequestSent(block.chainid, destChainSelector, destChainBridge, tokenId);
    i_kittyBridge.bridgeNftWithData(destChainSelector, destChainBridge, data);
    }
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.