ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Initialization Function Can Be Called Multiple Times in Bridge.sol

heim

Summary

The initialize function in Bridge.sol can be called multiple times, which leads to potential unintended state changes or vulnerabilities. Initialization functions should only be callable once to prevent reinitialization risks.

Vulnerability Details

Location: Bridge.sol at line 44:

function initialize(
bytes calldata data
)
public
onlyInit
{
(
address owner,
IStarknetMessaging starknetCoreAddress,
uint256 starklaneL2Address,
uint256 starklaneL2Selector
) = abi.decode(
data,
(address, IStarknetMessaging, uint256, uint256)
);
_enabled = false;
_starknetCoreAddress = starknetCoreAddress;
_transferOwnership(owner);
setStarklaneL2Address(starklaneL2Address);
setStarklaneL2Selector(starklaneL2Selector);
}

Issue: The initialize function, intended to set up initial state variables, can be called multiple times. This can lead to unpredictable outcomes, such as state corruption or unauthorized state changes.

Impact

  • Severity: Low

  • Impact on the Protocol: If the initialize function is called multiple times, it can lead to unintended state changes, though it may not necessarily compromise the entire contract's security. For example, ownership and address configurations can get overwritten.

  • Likelihood of Exploitation: Moderate. Although the risk exists, the impact is controlled. Initialization typically occurs in controlled settings and not in the wild.

Tools Used

Manual code review

Recommendations

To ensure the initialize function can only be called once, apply an initializer modifier. OpenZeppelin's Initializable contract provides a reliable implementation for this purpose.

  • Import Initializable from OpenZeppelin:

import "@openzeppelin/contracts/proxy/utils/Initializable.sol";

  • Modify the contract to inherit from Initializable:

contract Bridge is Initializable {
}

  • Apply the initializer modifier to the initialize function:

function initialize(
bytes calldata data
)
public
+ initializer // Ensures the function can only be called once
{
(
address owner,
IStarknetMessaging starknetCoreAddress,
uint256 starklaneL2Address,
uint256 starklaneL2Selector
) = abi.decode(
data,
(address, IStarknetMessaging, uint256, uint256)
);
_enabled = false;
_starknetCoreAddress = starknetCoreAddress;
_transferOwnership(owner);
setStarklaneL2Address(starklaneL2Address);
setStarklaneL2Selector(starklaneL2Selector);
}
Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.