ArkProject: NFT Bridge

Summary

there is no way to withdraw nft incase of partial reversion

Vulnerability Details

from the starknet docs we can see the following details
https://docs.starknet.io/architecture-and-concepts/network-architecture/transaction-life-cycle/

All changes that occurred during the validation stage are not reverted. However, all changes that occurred during the execution stage are reverted, including all messages to L1 or any events that were emitted during this stage.
Events might still be emitted from the validation stage or the fee charge stage

this is important because when bridging from l2 to l1 we might succeed during the validation stage on L2 but the messages sent to L1 are not sent. In this state the protocol thinks the nft was sent to L1 on the L2 state, but the message was never received on L1 and therefore the NFT on L1 cannot be withdrawn.

There is currently no emergency withdraw function in esrow, meaning that if this happens the users nft will be stuck in the bridge because the following function will always revert.

the snippet above is from the withdrawTokens function on the bridge.sol contract. since the message was never sent to L1, the call to _consumeMessageStarknet will always revert and thus the nft is stuck in the escrow on L1 and cannot be withdrawn by the owner.

Lines of Code

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L174

Impact

User nft will forver be stuck in the contract, loss of funds.

Tools Used

manual review

Recommendations

implement an emergency function that can only be used by the owner in order to handle possible partial reversion cases from starknet otherwise the nft will not be recoverable.