Description: The KittyConnect::bridgeNftToAnotherChain and KittyBridge::bridgeNftWithData functions within the NFT bridge protocol are designed to facilitate the transfer of NFTs across different blockchain networks. However, a malicious user could potentially exploit these functions to repeatedly drain the bridge contract's LINK tokens. This could be achieved by repeatedly calling these functions, which would cause the bridge contract to repeatedly attempt to deduct LINK tokens as fees for the transfers. If not properly managed, this could lead to the bridge contract running out of LINK tokens, causing the project to lose money and potentially leading to a denial of service (DoS) situation where the bridge function becomes unavailable due to the depletion of LINK tokens.
Impact: The potential for malicious drainage of LINK tokens can have several significant impacts on the project:
Financial Loss: The project could incur significant financial losses as the bridge contract's LINK tokens are depleted. This could affect the project's ability to cover operational costs and maintain the service.
Service Availability: The depletion of LINK tokens could lead to a denial of service (DoS) situation, where the bridge function becomes unavailable. This would prevent users from transferring NFTs across different blockchain networks, severely impacting the project's utility and user experience.
Proof of Concept: To demonstrate this vulnerability, a malicious user could repeatedly call the KittyConnect::bridgeNftToAnotherChai
n or KittyBridge::bridgeNftWithData
functions, causing the bridge contract to repeatedly attempt to deduct LINK tokens as fees for the transfers. Here is an example test which can be added to the protocol test suite, showing how the attack works:
To run the test, use a Sepolia testnet forked URL:
Also, the gas cost for this test function is approximately 14,500,000, which is quite high and will drop the probability of the attack.
Recommended Mitigation: To mitigate this vulnerability, several measures can be implemented:
Add an onlyKittyConnect
Modifier: Implement an onlyKittyConnect
modifier to the kittyBridge::bridgeNftWithData
function. This will significantly decrease the attack probability because it costs more gas to transfer NFTs instead of just text as data, and a project user is less likely to attack the project than any other person.
Require Additional Approvals: For high-value transfers, repeated transfers, or for any bridge transfer, require additional approvals or confirmations from shop owners. This could involve a multi-signature mechanism or additional user confirmation.
Do Not Charge the Bridge Contract: Add onlyKittyConnect
modifier and Instead of charging the bridge contract for the LINK tokens, reduce the fee amount from the user when they call for the bridge process. This is the main recommendation as it directly addresses the vulnerability by shifting the cost to the user, thereby reducing the risk of the bridge contract running out of LINK tokens.
By implementing these mitigation strategies, the project can better protect against the potential for malicious drainage of LINK tokens and ensure the reliability and security of the NFT bridge service. Here is how the 3rd recommendation can be implemented:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.