ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Lack of Access Control on StarknetMessagingLocal.sol::addMessageHashesFromL2()

sidhack3r11

Summary

https://github.com/Cyfrin/2024-07-ark-project/blob/main/apps/blockchain/ethereum/src/sn/StarknetMessagingLocal.sol

The addMessageHashesFromL2 function in the StarknetMessagingLocal contract is designed to register message hashes directly from L2, marking them as ready for consumption. This function is public, meaning it can be called by any external address without restriction.

The lack of access control on this function exposes the contract to significant risks. Specifically, any entity can invoke this function to add arbitrary message hashes to the contract's state. This could lead to unauthorized manipulation of the contract's messaging state, as there is no verification or authentication to ensure that only legitimate message hashes are registered

Vulnerability Details

The addMessageHashesFromL2 function in the StarknetMessagingLocal contract allows any external entity to add message hashes directly to the contract’s state. The function is defined as follows:

function addMessageHashesFromL2(
uint256[] calldata msgHashes
)
external
payable
{
for (uint256 i = 0; i < msgHashes.length; i++) {
bytes32 hash = bytes32(msgHashes[i]);
l2ToL1Messages()[hash] += 1;
}
emit MessageHashesAddedFromL2(msgHashes);
}

Impact

Unauthorized Message Registration: Malicious actors can register any message hashes, potentially leading to unauthorized operations. For example, they could craft hashes to simulate messages that should not be processed or consumed, manipulating the contract’s behavior.

Contract Integrity Compromise: The integrity of the contract’s messaging logic is compromised as it cannot ensure the validity of the message hashes. This can cause inconsistencies or errors in message processing.

Attack Execution:

  • An attacker calls addMessageHashesFromL2 with a list of fake message hashes.

  • These hashes are added to the contract’s state, and if the contract’s logic later attempts to consume these messages, it might perform unintended operations based on the fraudulent hashes.

Potential Consequences:

  • The attacker could potentially disrupt the normal flow of message processing or execute actions that should only be performed based on valid messages, such as withdrawing funds or changing contract states

Tools Used

Manual Review

Recommendations

Implement Access Control:

  • Restrict access to the addMessageHashesFromL2 function. Use access control mechanisms to ensure that only authorized entities can call this function. For example, use the onlyOwner modifier:

modifier onlyOwner() {
require(msg.sender == owner, "Not authorized");
_;
}
function addMessageHashesFromL2(
uint256[] calldata msgHashes
)
external
onlyOwner
{
for (uint256 i = 0; i < msgHashes.length; i++) {
bytes32 hash = bytes32(msgHashes[i]);
l2ToL1Messages()[hash] += 1;
}
emit MessageHashesAddedFromL2(msgHashes);
}
Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Out of scope

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.