ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Repeatedly Bridging Worthless Unique Collections From L2 Can DoS The L1

auditweiler

Summary

Bridging multiple instances of worthless ERC-721 collections from the L2 can prevent any new collections from being bridged onto the L1.

Vulnerability Details

The L2 bridge can conditionally whitelist tokens, however by default, the whitelist is disabled, allowing any tokens to be bridged from Starknet to Mainnet. This means it is possible to create a large number of worthless ERC-721 collections and request that these are bridged to the L1.

This becomes an issue when we take into account what happens when a newly-bridged token from the trusted L2 contract is received by the L1 bridge:

if (collectionL1 == address(0x0)) {

if (ctype == CollectionType.ERC721) {

collectionL1 = _deployERC721Bridgeable(

req.name,

req.symbol,

req.collectionL2,

req.hash

);

// update whitelist if needed

_whiteListCollection(collectionL1, true);

} else {

revert NotSupportedYetError();

}

When encountering a crosschain message which references an unseen L2 collection address the very first time, _verifyRequestAddresses returns a collectionL1 of address(0), forcing the L1 bridge to execute the logic listed above.

Aside from deploying the proxy ERC-721 bridge contract via deployERC721Bridgeable, the L1 bridge also invokes whiteListCollection:

function _whiteListCollection(address collection, bool enable) internal {

if (enable && !_whiteList[collection]) {

bool toAdd = true;

uint256 i = 0;

while(i < _collections.length) { /// @audit loop_through_all_collections

if (collection == _collections[i]) {

toAdd = false;

break;

}

i++;

}

if (toAdd) {

/// @audit Bridged worthless collections will increase the array size,

/// @audit therefore future iterations will grow longer and longer.

_collections.push(collection);

}

_whiteList[collection] = enable;

}

Notice here that for each new collection we bridge from Starknet, we will have to iterate through a longer and longer list of _collections.

Invariably, an attacker spamming worthless collections will cause this operation to revert through OOG for all subsequent attempts to honestly bridge new collections.

Impact

Denial of service to all subsequent bridged tokens which have not yet been processed.

Tools Used

Manual Review

Recommendations

Although an attacker can trigger this scenario intentionally, over time this will be likely to emerge through honest bridge operations.

Refactor the whitelist implementation to use an EnumerableMap instead, which enables the Bridge to maintain an iterable array of unique collection addresses without needing to loop through all elements upon insertion.

Additionally, consider enforcing the whitelist by default on the L2.

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-collections-always-withelisted-on-both-chain-withdraw-impossible-collections-array-will-be-OOG

Likelyhood: High, once the whitelist option is disabled, collections will grow. Impact: High, withdraw won’t be possible because of Out-Of-Gas.

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.