Whitelisting is available even when _whiteListEnabled is false due to incorrect if statement.
In Bridge::_whiteListCollection
if the _whiteListEnabled
is not enabled the users are still able to whitelist their collections at a contract state level:
Since the check is missing, this would enable users to whitelist collections even when it's not allowed through Bridge::withdrawTokens
.
Impact: High
Likelihood: Medium
User calls Bridge::withdrawTokens
where the address of collectionL1 must be equal to address(0x0)
and the CollectionType
is CollectionType.ERC721
so the logic calls the Bridge::_whiteListCollection
inside Bridge::withdrawTokens
.
Another entry point for the Bridge::_whiteListCollection
is the Bridge::whiteList
whose access control is restricted to the owner. Still if the owner has NOT enabled the
_whiteListEnabled
through Bridge::enableWhiteList
then even they should NOT be able to whitelist, otherwise what is the point of having a _whiteListEnabled
.
Manual Review
Add a missing parameter check _whiteListEnabled
in the Bridge::_whiteListCollection
:
Another thing for the sponsors to consider is whether it's a good idea to be able to unwhitelist a collection when the _whiteListEnabled
is false because at the moment that is a possibility.
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.