ArkProject: NFT Bridge

Github

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L137-L141

Summary

The current bridging implementation from L1 to L2 does not include a minimum gas limit check. This oversight can result in tokens being stuck in escrow if the gas provided is below the required minimum threshold.

Vulnerability Details

In the sendMessageToL2 function, which facilitates messaging from L1 to L2, there is a crucial requirement for a minimum gas limit. According to the official Cairo Docs, the msg.value should be at least 20k wei. This minimum is necessary because:

• The StarknetMessaging contract needs to register the hash of the message in ETH storage.

• In addition to the 20k wei, sufficient fees must be paid on L1 to cover the deserialization and processing of the message on L2.

Without a minimum gas check, if the gas provided is below this threshold, the message may fail, causing the tokens to be stuck in escrow. Of-course the message can be retired later by cancelling but the issue still exist.

Impact

If the minimum gas requirement is not met, user tokens can become stuck in escrow, potentially leading to significant issues for users and affecting the overall reliability of the bridging process.

Recommendation

Implement a minimum gas limit check in the sendMessageToL2 function to ensure that the gas provided meets the required threshold. This check will prevent tokens from being stuck in escrow due to insufficient gas and enhance the robustness of the bridging process.