ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

In case the max payload size is modified from Starknet, Ark can become less functional

SBSecurity

Summary

Starknet doesn’t ensure that values that are valid now, won’t be changed in the future, so having MAX_PAYLOAD_LENGTH as a constant can make the Bridge contracts less functional in case payload size gets modified.

Vulnerability Details

Looking at the Starknet docs, in the table with current limits we will see the following sentence:

These are subject to revisions and change on a regular basis

But the Bridge contract has no setter function for the max payload length, leading to future issues. The biggest impact will be caused if the max payload is decreased by Starknet. Valid depositTokens will lead to failed transactions and NFTs will be locked in the bridge contract. This will happen with each transaction with a payload bigger than the current limit on Starknet but lower than MAX_PAYLOAD_LENGTH.

The other way around is when payload size is increased, then MAX_PAYLOAD_LENGTH will prevent users with a lot of tokens from bridging them to L2 while this request is now valid and will force them to pay more bridge fees by executing multiple bridge transactions.

Bridge.sol

if (payload.length >= MAX_PAYLOAD_LENGTH) {
revert TooManyTokensError();
}

Impact

Less functional bridge when payload size is updated from Starknet, due to using hardcoded MAX_PAYLOAD_LENGTH variable

Tools Used

Manual Review

Recommendations

Add setter function for the max payload length and modify it when Starknet modifies it as well.

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Appeal created

blckhv Submitter
about 1 year ago
blckhv Submitter
about 1 year ago
slavcheww Submitter
about 1 year ago
n0kto Lead Judge
12 months ago
n0kto Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.