Github

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L208

Summary

The current implementation of the mintFromBridge function in the bridge contract potentially allows ERC721 tokens to be sent to a contract address on L1 that does not support receiving ERC721 tokens. This issue arises because the function uses _mint, which does not verify if the receiving address can handle ERC721 tokens, leading to a potential loss of NFTs.

Vulnerability details

When a user deposits NFTs on L2 for bridging to L1, they specify an owner_l1 address, which is then used in the withdrawal process on L1. The mintFromBridge function mints the NFT directly to the owner_l1 address without checking if the address can accept ERC721 tokens. If owner_l1 is a contract address that does not support ERC721 tokens, the token might be permanently lost.

Impact

The loss of valuable NFTs is possible if they are sent to a contract address on L1 that cannot handle ERC721 tokens, due to the use of _mint without proper checks. This could result in significant financial loss & user dissatisfaction.

Proof of concept

1. A user deposits an NFT on L2 with a contract address as the owner_l1.

2. During withdrawal on L1, the mintFromBridge function mints the NFT to the owner_l1 contract address.

3. The contract address does not support ERC721 tokens, resulting in the loss of the NFT.

Recommendation

Replace the _mint function in mintFromBridge with a safer alternative that verifies the recipient's ability to handle ERC721 tokens, such as safeMint. This will ensure that NFTs are not sent to incompatible contract addresses, preventing potential loss of tokens.