ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

NFT tokens support both ERC721 and ERC1155 standards will be locked

gajiknownnothing

Summary

The TokenUtil.detectInterface() function identifies NFTs that support both ERC721 and ERC1155 standards as CollectionType.ERC721, and the StarklaneEscrow::_escrow(collectionAddres => (tokenId => depositor)) mapping tracks only one tokenId per depositor, this can lead to NFT tokens, such as Sandbox's ASSETs, will be locked when bridged between L1 and L2.

Vulnerability Details

The bridge's collection whitelist could be disabled by the enableWhiteList() function, so after the whitelist is disabled, it is possible for a user to bridge tokens that support both ERC721 and ERC1155 standards, such as the Sandbox's ASSETs.

The Sandbox's ASSETs ERC1155ERC721.supportsInterface supports both ERC721 and ERC1155 interfaces:

function supportsInterface(bytes4 id) external view returns (bool) {

return

id == 0x01ffc9a7 || //ERC165

id == 0xd9b67a26 || // ERC1155

id == 0x80ac58cd || // ERC721

id == 0x5b5e139f || // ERC721 metadata

id == 0x0e89341c; // ERC1155 metadata

}

As the TokenUtil.detectInterface() function identifies the type of these NFTs as CollectionType.ERC721, bridging Sandbox's ASSETs from L1 to L2 will transfer one item each time.

In the StarklaneEscrow._depositIntoEscrow() function, when multiple users attempt to bridge the same Sandbox ASSET (identified by the same tokenId), the function sets _escrow[collection][id] = msg.sender. This causes the _escrow mapping to update the owner of the token to the last user who bridged the ASSET with that tokenId.

For instance, if User A bridges a Sandbox ASSET with tokenId = 123, _escrow[collection][123] is set to User A. Later, if User B bridges the same tokenId = 123, _escrow[collection][123] is overwritten, now showing User B as the owner. This results in the original owner, User A, losing ownership of the token.

Impact

If bridge whitelist is disabled or NFT tokens support both ERC721 and ERC1155 standards are whitelisted, bridge users' token will cause tokens to be locked.

Tools Used

vscode

Recommendations

The TokenUtil.detectInterface() function should check if a collection is ERC1155 first.

@@ -44,10 +44,6 @@ library TokenUtil {

type(IERC721).interfaceId

);

- if (supportsERC721) {

- return CollectionType.ERC721;

- }

bool supportsERC1155 = ERC165Checker.supportsInterface(

collection,

type(IERC1155).interfaceId

@@ -57,6 +53,10 @@ library TokenUtil {

return CollectionType.ERC1155;

}

+ if (supportsERC721) {

+ return CollectionType.ERC721;

+ }

revert UnsupportedTokenStandard();

}

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Assigned finding tags:

invalid-both-standard-same-nft

Great catch ! Unfortunately only ERC721 are in scope. Tokens with both standard are not supported and the collection and using it that way would be a user error.

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.