ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

State inconsistency in whitelist management - removal from mapping without array update

sabit

Summary

If enable is false, the function still sets _whiteList[collection] = enable (false), but doesn't remove the collection from the _collections array. This can lead to an inconsistent state where a collection is in the array but not whitelisted.

Vulnerability Details

Here's the _whiteListCollection function:

function _whiteListCollection(address collection, bool enable) internal {

if (enable && !_whiteList[collection]) {

bool toAdd = true;

uint256 i = 0;

while(i < _collections.length) {

if (collection == _collections[i]) {

toAdd = false;

break;

}

i++;

}

if (toAdd) {

_collections.push(collection);

}

_whiteList[collection] = enable;

}

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L340C4-L356C6

The problem arises when enable is falsein the whitelist function:

function whiteList(address collection, bool enable) external onlyOwner {

_whiteListCollection(collection, enable);

emit CollectionWhiteListUpdated(collection, enable);

}

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L284C1-L287C6

Here's a breakdown:

When enable is false, the code inside the if (enable && !_whiteList[collection]) block is not executed. This means no changes are made to the _collections array.

However, the last line _whiteList[collection] = enable; is always executed, regardless of the value of enable.
So, when enable is false, this line effectively removes the collection from the whitelist by setting _whiteList[collection] to false.
But crucially, it does not remove the collection's address from the _collections array since if (enable && !_whiteList[collection]) block is not executed.

This leads to an inconsistent state where:

The collection is marked as not whitelisted in the _whiteList mapping (_whiteList[collection] = false)
But the collection's address still remains in the _collections array

Impact

Collection address won't be whitelisted but still exists in the _collections array
It would be impossible to add a collection address, previously whitelisted and pushed into the collection array then removed from whitelist, back into the _collection array.

Tools Used

Manual review

Recommendations

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

invalid-unwhitelist-on-L1-do-not-pop-from-array

LightChaser: Low-19, Gas-10

Appeal created

sabit Submitter

10 months ago

n0kto Lead Judge

9 months ago

n0kto Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

invalid-unwhitelist-on-L1-do-not-pop-from-array

LightChaser: Low-19, Gas-10

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.