NFTBridge
60,000 USDC
View results
Submission Details
Severity: medium
Invalid

Missing Check for Minimum Token IDs in `depositTokens` Function

Summary

The depositTokens function does not verify that the ids array contains at least one token ID, despite the documentation specifying that at least one token is required. This oversight can lead to unexpected behavior if an empty ids array is provided.

Vulnerability Details

Location : https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L78

Details:
The depositTokens function documentation states that at least one token ID is required in the ids array. However, the current implementation of the function does not include a check to enforce this requirement. The absence of this check means the function can be called with an empty ids array, potentially causing unexpected behavior or errors later in the execution.

Impact

Without this check, the function can be called with an empty ids array, leading to:

  1. Potential errors or unexpected behavior when processing the request.

  2. Inconsistencies between the documented behavior and the actual implementation.

  3. Increased risk of security issues or logical errors due to invalid input.

Tools Used

Manual code review

Recommendations

Add a check to the depositTokens function to ensure that the ids array contains at least one token ID. If the array is empty, the function should revert with an appropriate error message.

Proposed Validation code:

Add the following check to the depositTokens function:

error NoTokenIdsProvidedError();
if (ids.length == 0) {
revert NoTokenIdsProvidedError();
}

Revised Function:

(+)error NoTokenIdsProvidedError();
function depositTokens(
uint256 salt,
address collectionL1,
snaddress ownerL2,
uint256[] calldata ids,
bool useAutoBurn
)
external
payable
{
(+) if (ids.length == 0) {
revert NoTokenIdsProvidedError();
// Existing code
}
Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.