ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Unsupported `use_withdraw_auto` flag causes potential token lockup in `deposit_tokens` function

hydrapenta

Summary

The use_withdraw_auto flag in the deposit_tokens function of the L2 Bridge.cairo contract is intended to automate the withdrawal of tokens on L1. However, the corresponding functionality is disabled on the L1 contract, leading to a situation where tokens may be locked on L2 without any clear mechanism for retrieval.

Vulnerability Details

In the deposit_tokens function on L2, users can set the use_withdraw_auto flag to true, which signals that the withdrawal of tokens on L1 should be handled automatically. The code snippet for the flag is shown below:

fn deposit_tokens(

ref self: ContractState,

salt: felt252,

collection_l2: ContractAddress,

owner_l1: EthAddress,

token_ids: Span<u256>,

use_withdraw_auto: bool, //@audit allows users to set this to true when depositing in L2

use_deposit_burn_auto: bool,

) {

// Processing logic here...

}

However, in the withdrawTokens function on the L1 Bridge.sol contract, the auto-withdrawal functionality has been explicitly disabled:

function withdrawTokens(

uint256[] calldata request

)

external

payable

returns (address)

{

// Other processing logic...

if (Protocol.canUseWithdrawAuto(header)) {

// 2024-03-19: disabled autoWithdraw after audit report

// _consumeMessageAutoWithdraw(_starklaneL2Address, request);

revert NotSupportedYetError(); //@audit reverts when auto withdraw is enabled

} else {

_consumeMessageStarknet(_starknetCoreAddress, _starklaneL2Address, request);

}

// More processing logic...

}

The L1 contract reverts with a NotSupportedYetError when the use_withdraw_auto flag is set to true, effectively disabling the automatic withdrawal process. This means that any tokens intended for automatic withdrawal will remain in escrow on L2 indefinitely, as there is no fallback mechanism to handle these tokens manually.

Impact

Tokens that were intended to be withdrawn automatically on L1 may become permanently locked in the L2 escrow if the use_withdraw_auto flag is set to true. Users who expect their tokens to be automatically withdrawn may be unaware that this functionality is not supported, leading to frustration and potential loss of funds. The only way to recover is by a upgrade to Bridge contract on L2.

Tools Used

Manual Review.

Recommendations

Disable** use_withdraw_auto on L2. **Modify the deposit_tokens function to reject transactions where use_withdraw_auto is set to true. This will prevent users from mistakenly enabling a feature that is not supported on L1.

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-auto_withdrawn-L2-NFT-stuck

Impact: High, token will be stuck in L2 bridge. Likelyhood: Very low, option is available in L2 but has been disabled since March on L1, would be almost a user error.

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.