ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

State inconsistency in whitelist management - removal from mapping without array update

sabit

Summary

If enable is false, the function still sets _whiteList[collection] = enable (false), but doesn't remove the collection from the _collections array. This can lead to an inconsistent state where a collection is in the array but not whitelisted.

Vulnerability Details

Here's the _whiteListCollection function:

function _whiteListCollection(address collection, bool enable) internal {
if (enable && !_whiteList[collection]) {
bool toAdd = true;
uint256 i = 0;
while(i < _collections.length) {
if (collection == _collections[i]) {
toAdd = false;
break;
}
i++;
}
if (toAdd) {
_collections.push(collection);
}
}
_whiteList[collection] = enable;
}

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L340C4-L356C6

The problem arises when enable is falsein the whitelist function:

function whiteList(address collection, bool enable) external onlyOwner {
_whiteListCollection(collection, enable);
emit CollectionWhiteListUpdated(collection, enable);
}

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L284C1-L287C6

Here's a breakdown:

When enable is false, the code inside the if (enable && !_whiteList[collection]) block is not executed. This means no changes are made to the _collections array.

  • However, the last line _whiteList[collection] = enable; is always executed, regardless of the value of enable.

  • So, when enable is false, this line effectively removes the collection from the whitelist by setting _whiteList[collection] to false.

  • But crucially, it does not remove the collection's address from the _collections array since if (enable && !_whiteList[collection]) block is not executed.

This leads to an inconsistent state where:

  • The collection is marked as not whitelisted in the _whiteList mapping (_whiteList[collection] = false)

  • But the collection's address still remains in the _collections array

Impact

  • Collection address won't be whitelisted but still exists in the _collections array

  • It would be impossible to add a collection address, previously whitelisted and pushed into the collection array then removed from whitelist, back into the _collection array.

Tools Used

Manual review

Recommendations

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

invalid-unwhitelist-on-L1-do-not-pop-from-array

LightChaser: Low-19, Gas-10

Appeal created

sabit Submitter
about 1 year ago
n0kto Lead Judge
about 1 year ago
n0kto Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

invalid-unwhitelist-on-L1-do-not-pop-from-array

LightChaser: Low-19, Gas-10

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!