ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Unvalidated Input in StarklaneState(State) Contract Allows Setting Invalid L2 Addresses and Selectors

juggernaut63

Summary

The StarklaneState(State) contract allows the owner to set L2 addresses and selectors without validating the input. This lack of validation can lead to the setting of invalid or unintended values, potentially causing operational failures or security risks.

Vulnerability Details

1.Zero Value Case:
Scenario:

Contract owner accidentally calls setStarklaneL2Address(0).
Steps:

  1. Contract owner calls setStarklaneL2Address function with parameter 0.

  2. The function sets _starklaneL2Address to 0 without validation.

  3. Another contract or a function within this contract tries to send a message to L2 using _starklaneL2Address.

  4. The message fails because 0 is not a valid address in Starknet.

2.Invalid Value Case:

Scenario:

Contract owner calls setStarklaneL2Selector(12345678901234567890) without knowing that the selector does not exist in the L2 contract.

Steps:

  1. Contract owner calls the setStarklaneL2Selector function with the parameter 12345678901234567890.

  2. The function sets _starklaneL2Selector to 12345678901234567890 without validation.

  3. Contract tries to send a message to L2 using _starklaneL2Selector.

  4. The message fails because the selector 12345678901234567890 does not exist in the target L2 contract.

3.Unwanted Value Case:
Scenario:

Contract owner calls setStarklaneL2Address with wrong address due to typo, for example setStarklaneL2Address(0x1234...5678) instead of 0x1234...5679.
Steps:

  1. Contract owner calls setStarklaneL2Address function with parameter 0x1234...5678.

  2. Function sets _starklaneL2Address to 0x1234...5678 without validation.

  3. Contract tries to send message to L2 using _starklaneL2Address.

  4. Message is sent to wrong address (0x1234...5678 instead of 0x1234...5679).

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.8;
import "forge-std/Test.sol";
import "../src/State.sol";
contract StarklaneStateTest is Test {
StarklaneState starklaneState;
function setUp() public {
starklaneState = new StarklaneState();
starklaneState.transferOwnership(address(this)); // Set the test contract as the owner
}
function testZeroValue() public {
// Zero Value Case
starklaneState.setStarklaneL2Address(0);
(snaddress l2Address, ) = starklaneState.l2Info();
assertEq(snaddress.unwrap(l2Address), 0, "L2 address should be 0");
}
function testInvalidSelector() public {
// Invalid Value Case
uint256 invalidSelector = 12345678901234567890;
starklaneState.setStarklaneL2Selector(invalidSelector);
(, felt252 l2Selector) = starklaneState.l2Info();
assertEq(felt252.unwrap(l2Selector), invalidSelector, "L2 selector should be the invalid value");
}
function testUnwantedValue() public {
// The Case of Unwanted Values
uint256 wrongAddress = uint256(uint160(0x1234567812345678123456781234567812345678));
starklaneState.setStarklaneL2Address(wrongAddress);
(snaddress l2Address, ) = starklaneState.l2Info();
assertEq(snaddress.unwrap(l2Address), wrongAddress, "L2 address should be the wrong value");
}
}

forge test --match-path test/StarklaneStateTest.t.sol
[⠊] Compiling...
[⠃] Compiling 1 files with Solc 0.8.26
[⠊] Solc 0.8.26 finished in 792.11ms
Compiler run successful!

Ran 3 tests for test/StarklaneStateTest.t.sol:StarklaneStateTest
[PASS] testInvalidSelector() (gas: 32828)
[PASS] testUnwantedValue() (gas: 32818)
[PASS] testZeroValue() (gas: 12886)
Suite result: ok. 3 passed; 0 failed; 0 skipped; finished in 46.72ms (12.56ms CPU time)

Ran 1 test suite in 80.95ms (46.72ms CPU time): 3 tests passed, 0 failed, 0 skipped (3 total tests)

Impact

1.Zero Value:

  • Setting the L2 address or selector to zero can cause operational failures as zero is often used to indicate uninitialized or invalid states.

2.Invalid or Unintended Values:

  • Setting excessively large or unintended values can lead to messages being sent to incorrect addresses or functions, resulting in failed transactions and potential loss of funds.

  • Operational disruptions can occur if the contract relies on specific addresses or selectors to function correctly.

Tools Used

  • Manual review

  • Foundry

Recommendations

  • Implement input validation to ensure that the L2 address and selector are valid and within acceptable ranges.

function setStarklaneL2Address(uint256 l2Address) public onlyOwner {
require(l2Address != 0, "Invalid L2 address");
_starklaneL2Address = Cairo.snaddressWrap(l2Address);
emit StarklaneL2AddressSet(_starklaneL2Address);
}
function setStarklaneL2Selector(uint256 l2Selector) public onlyOwner {
require(l2Selector != 0, "Invalid L2 selector");
_starklaneL2Selector = Cairo.felt252Wrap(l2Selector);
emit StarklaneL2SelectorSet(_starklaneL2Selector);
}

  • Emit events when setting the L2 address and selector to facilitate off-chain monitoring and auditing.

event StarklaneL2AddressSet(snaddress l2Address);
event StarklaneL2SelectorSet(felt252 l2Selector);
Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.