ArkProject: NFT Bridge

Summary

The depositTokens function does not verify that the ids array contains at least one token ID, despite the documentation specifying that at least one token is required. This oversight can lead to unexpected behavior if an empty ids array is provided.

Vulnerability Details

Location : https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L78

Details:
The depositTokens function documentation states that at least one token ID is required in the ids array. However, the current implementation of the function does not include a check to enforce this requirement. The absence of this check means the function can be called with an empty ids array, potentially causing unexpected behavior or errors later in the execution.

Impact

Without this check, the function can be called with an empty ids array, leading to:

1. Potential errors or unexpected behavior when processing the request.

2. Inconsistencies between the documented behavior and the actual implementation.

3. Increased risk of security issues or logical errors due to invalid input.

Tools Used

Manual code review

Recommendations

Add a check to the depositTokens function to ensure that the ids array contains at least one token ID. If the array is empty, the function should revert with an appropriate error message.

Proposed Validation code:

Add the following check to the depositTokens function:

Revised Function: