ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Bridge::withdrawTokens is payable

SBSecurity

Summary

Bridge::withdrawTokens is left payable and can mistakenly cause users to send native assets when consuming their L2 messages, which will lead to loss of funds since there is no function to retrieve mistakenly sent funds.

Vulnerability Details

Bridge.sol

function withdrawTokens(
uint256[] calldata request
)
external
payable
returns (address)
{

But actually, there is no need to provide any tokens while consuming the message from L2.

Impact

Loss of funds for the users that provide a native asset to the Bridge::withdrawTokens.

Tools Used

Manual Review

Recommendations

Remove the payable keyword from the function:

function withdrawTokens(
uint256[] calldata request
)
external
- payable
returns (address)
{
Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Appeal created

slavcheww Submitter
about 1 year ago
n0kto Lead Judge
12 months ago
n0kto Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.