ArkProject: NFT Bridge

Github

https://github.com/Cyfrin/2024-07-ark-project/blob/main/apps/blockchain/starknet/src/bridge.cairo

Summary

L2 -> L1 Messaging Cancellation: There is no such mechanism currently available.

Vulnerability Details

The official docs provides information about L1->L2 message cancellation, but there is no corresponding mechanism for canceling a message when an error occurs in the L1 contract or any other issue that leads to tokens being stuck in escrow. This lack of a cancellation mechanism for L2->L1 requests can result in the permanent loss of tokens, as they remain stuck in the escrow contract.

Impact

Users can permanently lose tokens if the message fails from L2->L1, as the tokens will remain stuck in the escrow contract.

Proof of Concept

• Dana attempted to bridge his Bored Ape NFT #2 from L2 to L1.

• The request failed for some reason, resulting in Dana's Bored Ape NFT #2 being stuck in the escrow contract.

• Dana wants to cancel the request to withdraw the NFT from escrow, but there is no mechanism to do so.

• Consequently, Dana's Bored Ape NFT #2 is permanently stuck in the escrow contract.

Recommendation

I propose two potential solutions to address this issue:

1. Implement a cancellation feature for L2->L1 messages, allowing users to cancel their requests if they fail.

2. Develop a method to withdraw tokens from escrow, enabling users to retrieve their tokens in case of an emergency.

These solutions would provide a way to handle failed transactions and prevent the permanent loss of tokens.