ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Users would lose funds when attempting to bridge, since reverts would often occur or they'd have to overpay

bauchibred

Summary

Some users would either lose funds when attempting to bridge, or have their tx potentially stuck.

Vulnerability Details

Inorder to bridge the NFTs the Bridge#depositTokens(), function is called, which is marked as payable so as to provide the fee for processing this transaction on StarkNet.

Now would be key to note that messaging on StarkNet is not like the common cross chain messaging via layerZero fee wise, i.e here there is no refundAddress where excess fees get sent to and the exact fee is expected to be passed when querying StarknetMessaging#sendMessageToL2().

This is also known to the Starknet team which is why, they've included this section in their docs: https://docs.starknet.io/architecture-and-concepts/network-architecture/messaging-mechanism/#l1-l2-message-fees.

Where they've indicated that to get the exact fees, it's advisable to use the CLI to get an estimate of an L1 → L2 message fee.

Now since this is not being done in the Ark bridge, this opens up two windows:

Naturally we don't expect users to guess right down to the wei value how much their tx would cost, so users would then:

If trying to pay cheap, would pass in a less than amount for fees, which would have their bridging attempt on starkNet fail, and they then have to be DOS'd from their tokens till the request is canceled on starknet (which takes a minimum of 5 days to finalize), since during the initial attempt at bridging the tokens were deposited into an escrow.
If trying to ensure their tx always passes, they then would pay a very high fee, but less than the MAX_L1_MSG_FEE which is currently 1 ether.

Impact

As hinted under Vulnerability Details, the bridging process is quite flawed when considering it's feeing logic since we can't expect users to guess right down to the wei value how much their tx would cost on starkNet, and would have either their attempt revert (after already speding native ethereum gas fees placing in these requests), or them losing out on funds due to overpaying the fees.

Tools Used

Manual review

Recommendations

Use the recommendations both in Starknet's docs and the official Cairo book which in our case would be to incorporate checking the fee on the CLI to get an estimate fee for the bridging tx and request users pay this.

Updates

Lead Judging Commences

n0kto Lead Judge 12 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-not-enough-fee-can-block-NFT

Impact: Medium/High. Need an admin to start a cancellation and wait for 5 days once done. DoS > 5 days. Likelyhood: Low. Everytime a wallet/or a user do not send enough gas

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.