Users cannot withdraw their tokens if the bridge is disabled
Summary
Users cannot withdraw their tokens if the bridge is disabled.
Vulnerability Details
The intended behavior, as confirmed by the sponsor, is that users should be able to withdraw their tokens regardless of the bridge's enabled or disabled status. However, the current implementation incorrectly restricts token withdrawals when the bridge is disabled, contradicting this intended behavior.
Impact
Users are unable to withdraw their tokens when the bridge is disabled, which is inconsistent with the expected behavior.
Recommendation
Remove the Bridge Status Check: If you check cancellation functions they don't have the bridge enable/disable check so similarly modify the
withdrawTokensfunction to remove the check for the bridge's enabled/disabled status. This will ensure that users can withdraw their tokens regardless of the bridge's status.Apply Fix to Cairo Bridge Contract: Ensure that the same fix is applied to the Cairo bridge contract to maintain consistency across implementations.
Test Changes: Thoroughly test the updated implementation to confirm that the withdrawal process works as intended in all scenarios.
Lead Judging Commences
finding-users-cannot-withdraw-while-bridge-disabled
Impact: Medium, token won’t be withdrawable until the bridge is enabled again. No real token loss. Likelyhood: Low/Medium, bridge would be disabled in case of emergency/upgrade/audit.
Appeal created
finding-users-cannot-withdraw-while-bridge-disabled
Impact: Medium, token won’t be withdrawable until the bridge is enabled again. No real token loss. Likelyhood: Low/Medium, bridge would be disabled in case of emergency/upgrade/audit.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.