NFTBridge
60,000 USDC
View results
Submission Details
Severity: low
Invalid

Anyone can cancel any request in bridge.sol

Summary

Anyone can cancel the request of another user using the nonce and the payload.

Vulnerability Details

Using the vm.startPrank() with bob allow us to cancel alice's request.

function test_cancelRequest() public {
uint256[] memory ids = new uint256[](2);
ids[0] = 0;
ids[1] = 9;
vm.startPrank(bob);
(uint256 nonce, uint256[] memory payload) = setupCancelRequest(alice, ids);
assert(IERC721(erc721C1).ownerOf(ids[0]) != alice);
assert(IERC721(erc721C1).ownerOf(ids[0]) != alice);
Request memory req = Protocol.requestDeserialize(payload, 0);
vm.expectEmit(true, false, false, false, bridge);
emit CancelRequestStarted(req.hash, 42);
IStarklane(bridge).startRequestCancellation(payload, nonce);
vm.expectEmit(true, false, false, false, bridge);
emit CancelRequestCompleted(req.hash, 42);
IStarklane(bridge).cancelRequest(payload, nonce);
assert(IERC721(erc721C1).ownerOf(ids[0]) == alice);
assert(IERC721(erc721C1).ownerOf(ids[1]) == alice);
vm.stopPrank();
}

Impact

Cancel of the requests makes the service unusable for the affected user. We could imagine an automated way of exploiting this to prevent a selected user to initiate requests.

Tools Used

Manual review; Foundry tests.

Recommendations

Check the sender of the transaction is indeed matching the address of the user targeted by the cancellation.

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

invalid-cancel-callable-by-anyone

The process to cancel a message is detailed here: https://docs.starknet.io/architecture-and-concepts/network-architecture/messaging-mechanism/#l2-l1_message_cancellation Since `startRequestCancellation` has the `onlyOwner`, only the owner can begin that process.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.