ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Off by one error DOS

obincifer

Summary

Modulus used for computation in Starknet. This is the maximum value.
confirmed as the max value in:

Its is the maximum value and not the "maximum value + 1". Implementation is off by one.

Impact

Due to this off by one error, there will be a complete DOS on user. ie snaddress user = Cairo.snaddressWrap(SN_MODULUS); will not be able to use the service completely.
Hence any asset he owns will be permanently stuck accross bridge

Tools Used

foundry

Recommendations

function isFelt252(
uint256 val
)
internal
pure
returns (bool)
{
+ return val <= SN_MODULUS;
- return val < SN_MODULUS;
}

POC

$ git diff
diff --git a/cairo.t.sol b/cairo.t.sol
index 4db400f..ed79706 100644
--- a/cairo.t.sol
+++ b/cairo.t.sol
@@ -1,7 +1,7 @@
// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.0;
-import "forge-std/Test.sol";
+import {console, Test} from "forge-std/Test.sol";
import "../src/sn/Cairo.sol";
/**
@@ -18,6 +18,8 @@ contract CairoTest is Test {
assertFalse(Cairo.isFelt252(SN_MODULUS + 1));
assertTrue(Cairo.isFelt252(0));
assertTrue(Cairo.isFelt252(0x12345));
+ //Added test below
+ assertFalse(Cairo.isFelt252(SN_MODULUS)); //@audit off by one
}
//
@@ -28,6 +30,9 @@ contract CairoTest is Test {
vm.expectRevert();
Cairo.felt252Wrap(type(uint256).max);
+
+ vm.expectRevert();
+ Cairo.felt252Wrap(SN_MODULUS);
}
//
@@ -38,6 +43,9 @@ contract CairoTest is Test {
vm.expectRevert();
Cairo.snaddressWrap(type(uint256).max);
+
+ vm.expectRevert();
+ Cairo.snaddressWrap(SN_MODULUS);
}
//
@@ -232,3 +240,4 @@ contract CairoTest is Test {
}
}
+
(END)
Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.