NFT owners will lose their NFTs when they would like to Bridge NFT in another chain.
Summary
Users will lose their NFT when they bridge NFT to another chain.
User calls KittyConnect.bridgeNftToAnotherChain()
NFT will be burned
KittyBridge.bridgeNftWithData() is called
Send the request to CCIP(Here the transaction will not work as fees approval are not given)
Vulnerability Details
KittyBridge.bridgeNftWithData() should approve the fees and then call router.ccipSend. But Token fees approval to router is missing. Due to this, KittyBridge._ccipReceive() function will never be called. As NFT is burned and is not minted in another chain and there is no revert anywhere, owner is bound to lose their NFT.
Add this line before calling ccipSend - s_linkToken.approve(address(router), fees);
Impact
Owners will lose their NFTs
Tools Used
Visual Studio Code & Foundry
Remix
Recommendations
Short Term solution:
Add below line inside KittyBridge.bridgeNftWithData function before router.ccipSend call
s_linkToken.approve(address(router), fees);
Long Term solution:
Implement Pausable & Upgradradable contracts to quickly avoid further NFT owner loss and rectify the issue without users changing to new contract address.
Lead Judging Commences
Missing fee token approval
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.