use_withdraw_auto feature enabled transfers started on Starknet will stuck the NFT on ETH chain
Summary
Bridge transactions that have been initialized/started with use_withdraw_auto feature will be stuck because ETH chain reverts on those kind of withdrawals.
Vulnerability Details
Due to the vulnerability found in the previous audit, WITHDRAW_AUTO feature was disabled. Unfortunately - the mitigation does not stop starting WITHDRAW_AUTO transactions on both chains.
Users who start those types of transactions on Starknet with use_withdraw_auto set to true will have their NFTs stuck on ETH chain because they will not be able to withdraw them.
Impact
NFTs stuck on Ethereum part of bridge can not be withdrawn until handling of WITHDRAW_AUTO feature is implemented.
Tools Used
Manual review
Recommendations
Disable use_withdraw_auto feature on Starknet chain. If a transaction set the use_withdraw_auto to true - revert the transaction.
Lead Judging Commences
finding-auto_withdrawn-L2-NFT-stuck
Impact: High, token will be stuck in L2 bridge. Likelyhood: Very low, option is available in L2 but has been disabled since March on L1, would be almost a user error.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.