ArkProject: NFT Bridge

Github

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L78-L144

Summary

The depositTokens function is vulnerable to front-running attacks, which can unfairly advantage users who execute their transactions before others. This issue arises from the FIFO (First-In-First-Out) nature of the sequencer on Layer 2 (L2), allowing transactions to be processed in the order they are received.

Vulnerability Details

The current protocol does not address or mitigate the risk of front-running when depositTokens is called. In scenarios where incentives or rewards are offered based on transaction order, users can exploit the system by submitting transactions with the intent to front-run others. This results in the front-runner's transaction being processed before those of other users, leading to potential loss of incentives for the latter.

Examples cases:

1. Arkproject Fee Refund Incentive:
   Currently Arkproject is offering a fee refund for the first 1,000 tokens bridged to Starknet. A front-runner who submits their bridging transaction before others will receive the fee refund, while subsequent users who bridge afterward will miss out. This creates an unfair advantage and undermines the incentive structure intended to reward early participants.

2. Incentives from other Collections:
   Similar incentive structures from other collections could also be affected by front-running. e.g, if a collection provides rewards or bonuses for early bridging, a front-runner can capture these rewards, leaving legitimate participants without the promised benefits.

3. Priority-Based Systems:
   Any system that prioritizes transactions based on their order—such as granting access to exclusive features or early benefits—can be compromised by front-running. This allows individuals to bypass the intended distribution of benefits, disrupting fair access.

4. Example with Bored Apes:
   Gas wars are very comon in NFTs, let's consider a scenario where Bored Apes offers a $2,000 reward for the first 1,000 bridges. Given that Bored Apes is a 10,000 NFT collection, the first 1,000 bridges are eligible for the reward. Front-running could lead to only those who execute their transactions first benefiting from this reward, disadvantaging others who bridge tokens later.

Impact

Front-running can lead to a loss of incentives and rewards for users who are not able to execute their transactions first. This undermines the fairness of incentive distribution and can result in a significant disparity between front-runners and other participants.

Recommendations

For fixing front-running issues there can be many solutions, but a solid solution is to implement a commit-reveal scheme, where users first submit a hashed commitment of their transaction and later reveal the details. This approach obscures transaction data until it is processed, reducing the opportunity for front-running.