The cross-chain of L2->L1 may be reverted forever and cannot be undone.
Summary
If the user sets use_withdraw_auto to true in the cross-chain of L2->L1, then these cross-chain NFTs will be stuck forever.
Vulnerability Details
background:
When the user calls the
deposit_tokensfunction to cross-chain the NFT from L2 to L1, theuse_withdraw_autoparameter can be set. If this parameter is set to true, the transaction will be executed successfully and cross-chain messages will be sent normally.I don’t see anywhere where I can cancel cross-chain messages from L2->L1.
When the user calls the
withdrawTokensfunction on L1 to withdraw the NFT, the protocol does not support withdraw_auto and will be revert directly.if (Protocol.canUseWithdrawAuto(header)) {// 2024-03-19: disabled autoWithdraw after audit report// _consumeMessageAutoWithdraw(_starklaneL2Address, request);revert NotSupportedYetError();
Therefore, if the user sets use_withdraw_auto to true, the user's NFT will always be stuck in the protocol and cannot be withdrawn. This is not foreseeable as cross-chain calls will execute normally. The problem will occur after the L2 block is verified in L1 (that is, 3 to 4 hours later). And there is no way to cancel cross-chain calls.
Since funds face the risk of being locked, I judge the impact to be High. Possibility is Med. So the risk level is H/M.
Impact
The user's NFT may be stuck in L2's bridge contract.
Tools Used
manual
Recommendations
When the user sets use_withdraw_auto to true, revert in L2.
Lead Judging Commences
finding-auto_withdrawn-L2-NFT-stuck
Impact: High, token will be stuck in L2 bridge. Likelyhood: Very low, option is available in L2 but has been disabled since March on L1, would be almost a user error.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.