ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

The initialize function may fail to be called

drynooo

Summary

When calling the initialize function, the parameter owner passed in must be equal to msg.sender. Otherwise the call will fail. This is a missing feature.

Vulnerability Details

Because in the initialize function, the owner is first set to the passed-in owner.

function initialize(
bytes calldata data
)
public
onlyInit
{
(
address owner,
IStarknetMessaging starknetCoreAddress,
uint256 starklaneL2Address,
uint256 starklaneL2Selector
) = abi.decode(
data,
(address, IStarknetMessaging, uint256, uint256)
);
···
_transferOwnership(owner);

Then call the set function.

setStarklaneL2Address(starklaneL2Address);
setStarklaneL2Selector(starklaneL2Selector);

The set function can only be called by the owner.
So if the parameter owner passed in is not equal to msg.sender, then initialize will revert.

function setStarklaneL2Address(
uint256 l2Address
)
public
onlyOwner

I think this is a missing feature, so the impact is Med. Possibility is also Med. I judge the risk level to be Med.

Impact

The initialize function may revert.

Tools Used

manual

Recommendations

- _transferOwnership(owner);
setStarklaneL2Address(starklaneL2Address);
setStarklaneL2Selector(starklaneL2Selector);
+ _transferOwnership(owner);
Updates

Lead Judging Commences

n0kto Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

invalid-initialize-owner-has-to-be-msg-sender

No real impact. It even prevents to set an invalid owner. Future versions/upgrades are out-of-scope since this function can/will change to do not modify the owner at every upgrades.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.