ArkProject: NFT Bridge

Summary

Unauthorized token types can be bridged due to lack of collection validation.

Vulnerability Details

Both the depositTokens function and the _depositIntoEscrow function in the bridge contract does not validate that the token being deposited belongs to the Everai NFT collection. This oversight allows any ERC721 or ERC1155 token to be deposited into the bridge, contradicting the stated purpose of the bridge to exclusively support the Everai NFT collection.

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L78C2-L145C1

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Escrow.sol#L26C3-L51C6

The functions lack a crucial check to ensure that the collection address matches the specific address of the Everai NFT contract. Additionally, it allows for ERC1155 tokens to be deposited, which is not aligned with the bridge's intended functionality.

Impact

Users can deposit and potentially bridge non-Everai NFTs, including ERC1155 tokens, which are not supposed to be supported.

This could lead to unauthorized tokens being transferred across the bridge, potentially causing issues on the L2 side (Starknet) that may not be equipped to handle these unexpected tokens.

It may disrupt the intended ecosystem of the ArkProject and Everai NFTs on both L1 and L2.

Potential financial losses for users if they deposit unsupported tokens that cannot be properly retrieved or utilized on L2.

Tools Used

Manual review

Recommendations

Implement a strict check for the Everai NFT collection address.