First Flight #12: Kitty Connect

Beginner FriendlyFoundryNFTGameFi

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Mapping with users' tokens ID not updated when bridging

robertodf99

Summary

The mapping with users' tokens IDs is not updated when a token is minted through the bridge.

Vulnerability Details

Although the variable KittyConnect.sol::s_ownerToCatsTokenId is updated whenever a user mints or bridges an NFT, it remains stagnant when receiving NFTs from another chain.

Impact

When users bridge their NFTs, the mapping is solely updated in the source chain. Consequently, users are restricted from bridging a number of tokens equal to the native minted tokens minus the total minted using the bridge. This limitation arises because the function KittyConnect.sol::bridgeNftToAnotherChain() throws an error due to the empty array. Refer to the example below for clarification.

Proof of Code

Add the following to the current test suite and import the helper contract stdError:

Code

function test_tokenNotAddedToMapping() public {

address sender = makeAddr("sender");

address catOwner = makeAddr("catOwner");

bytes memory data = abi.encode(

catOwner,

"meowdy",

"ragdoll",

"ipfs://QmbxwGgBGrNdXPm84kqYskmcMT3jrzBN8LzQjixvkz4c62",

block.timestamp,

partnerA

);

vm.prank(kittyConnectOwner);

kittyBridge.allowlistSender(networkConfig.router, true);

Client.Any2EVMMessage memory message = Client.Any2EVMMessage({

messageId: bytes32(0),

sourceChainSelector: networkConfig.otherChainSelector,

sender: abi.encode(sender),

data: data,

destTokenAmounts: new Client.EVMTokenAmount[](0)

});

vm.prank(networkConfig.router);

kittyBridge.ccipReceive(message);

uint256[] memory cats = kittyConnect.getCatsTokenIdOwnedBy(catOwner);

uint64 otherChainSelector = 14767482510784806043;

address destChainBridge = makeAddr("destChainBridge");

vm.expectRevert(stdError.arithmeticError);

vm.prank(catOwner);

kittyConnect.bridgeNftToAnotherChain(

otherChainSelector,

destChainBridge,

);

vm.stopPrank();

}

Tools Used

Manual review.

Recommendations

Add the following to KittyConnect.sol::mintBridgedNFT():

s_ownerToCatsTokenId[catOwner].push(tokenId);

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

owner's token ID array not updated in `mintBridgedNFT`

Rewards breakdown

nSLOC

235

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.