ArkProject: NFT Bridge

Summary

When modifying the _starklaneL2Address parameter, if there is an NFT cross-linked from L2 to L1 that has not been taken out. Or there is a cross-chain from L1 to L2 that needs to be cancelled. None of these operations can be performed, and the NFT will be stuck in the protocol.

Vulnerability Details

background:

1. Owner can modify the _starklaneL2Address variable.

2. In the cross-chain from L2->L1, the user needs to call the withdrawTokens function on L1 to withdraw the NFT. The protocol needs to verify the validity of the user's request to withdraw the NFT based on the _starklaneL2Address variable.

3. If the user needs to cancel the cross-chain from L1->L2, the owner needs to call the startRequestCancellation function, and then the user needs to call the cancelRequest function. Both functions need to rely on the _starklaneL2Address variable to verify validity.

Therefore, if the _starklaneL2Address variable is changed during the user's cross-chain, the above function will not be able to verify the validity of the request, then the user will not be able to complete the cross-chain, and the NFT will be stuck in the protocol.

The same situation exists for the _starklaneL2Selector variable. Although modifying bridge_l1_address will also prevent withdraw, cross-chain requests can be canceled from L1.

Due to the risk of capital lock-up, the impact is High and the possibility is Med. I judge the risk level to be High/Med.

Impact

Users' NFTs may be locked into the protocol.

Tools Used

manual

Recommendations

1. Pause the contract when changing the above variables.

2. Do not limit _enabled to the withdrawTokens function. Allow users to withdraw NFT at any time.

   - if (!_enabled) {

   - revert BridgeNotEnabledError();

   - }

3. During the pause period, process all L1->L2 cross-chain cancellation requests.