ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

the user variables are stored into memory instead of storage and not used anywhere

arnie

Summary

the user variables are stored into memory instead of storage and not used anywhere

Vulnerability Details

in the depositTokens function we first create a funcntion variable req of memory.

Request memory req;

then later in the function we store multiple parameters in this variable but since it is a memory type, the variables will not be saved to the contract and instead they will be erased after the tx is over. We can observe the following below...

req.collectionL1 = collectionL1;
req.collectionL2 = _l1ToL2Addresses[collectionL1];
req.ownerL1 = msg.sender;
req.ownerL2 = ownerL2;
if (ctype == CollectionType.ERC721) {
(req.name, req.symbol, req.uri, req.tokenURIs) = TokenUtil
.erc721Metadata(collectionL1, ids);
} else {
(req.uri) = TokenUtil.erc1155Metadata(collectionL1);
}
_depositIntoEscrow(ctype, collectionL1, ids);
req.tokenIds = ids;

as we can see multiple variables are set in the req memory variable and used elsewhere. This leads me to believe the author of the contract intended this variables to be set to storage.

Impact

incorrect setting of storage variables causes these values to be lost of the tx is done. These important variables are not stored anywhere and thus lost.

Tools Used

manual review

Recommendations

if the intention is to store these vairable to storage ensure the variables are stored in a storage variable correctly.

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.