ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

`sendMessageToL2` Transactions Can Be Underpriced

auditweiler

Summary

The L1 Bridge contract uses sendMessageToL2 to communicate between Mainnet and Starknet, however there is no validation concerning the price of sent messages, which can result in tokens stuck on the bridge due to the failure to mine underpriced transactions.

Vulnerability Details

When invoking sendMessageToL2, the msg.sender must send a sufficient msg.value to cover the cost of bridging:

/**

Sends a message to an L2 contract.

function sendMessageToL2(

uint256 toAddress,

uint256 selector,

uint256[] calldata payload

) external payable override returns (bytes32, uint256) {

@> require(msg.value > 0, "L1_MSG_FEE_MUST_BE_GREATER_THAN_0"); /// @audit must_transfer_nonzero_value

require(msg.value <= getMaxL1MsgFee(), "MAX_L1_MSG_FEE_EXCEEDED");

uint256 nonce = l1ToL2MessageNonce();

NamedStorage.setUintValue(L1L2_MESSAGE_NONCE_TAG, nonce + 1);

emit LogMessageToL2(msg.sender, toAddress, selector, payload, nonce, msg.value);

bytes32 msgHash = getL1ToL2MsgHash(toAddress, selector, payload, nonce);

// Note that the inclusion of the unique nonce in the message hash implies that

// l1ToL2Messages()[msgHash] was not accessed before.

l1ToL2Messages()[msgHash] = msg.value + 1;

return (msgHash, nonce);

}

However, the bridge does not impose a sane minimum fee.

It is rational that some callers should attempt to minimize fees, which can result in stuck message payloads which lack insufficient incentive to be processed.

Similarly, gas prices flucutations can impact upon the liveness of the bridge.

Invariably, this can result in tokens escrowed onto the bridge failing to be realized at the destination L2 due to the transaction being underpriced:

The transaction must have a correct payable amount: the invoked function costs roughly 3000 gas, so you should set msg.value around 3000*gas_price.

Impact

Whilst an underpriced transaction is pending, the tokens on the bridge will become stuck until the request is manually cancelled by the protocol owner.

Cancelling tokens is a manual two-phase process which must be endured by the protocol owner.

Tools Used

Manual Review

Recommendations

It is advised to recommend a minimum feePerGas for transmitting bridge messages and have this configurable by onlyOwner to ensure payloads have a significant chance of being eventually realized.

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-not-enough-fee-can-block-NFT

Impact: Medium/High. Need an admin to start a cancellation and wait for 5 days once done. DoS > 5 days. Likelyhood: Low. Everytime a wallet/or a user do not send enough gas

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.