ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

cancelRequest function does not verify whether the cancellation process has been properly initiated before allowing the cancellation to be completed

sabit

Summary

cancelRequest function does not verify whether the cancellation process has been properly initiated before allowing the cancellation to be completed. And anyone can call the function.

Vulnerability Details

According to the Starknet documentation, the startRequestCancellation function should be called first, followed by a waiting period, before the cancelRequest function can be executed. This crucial step is not being checked in the current implementation.

https://docs.starknet.io/architecture-and-concepts/network-architecture/messaging-mechanism/

Here's the current implementation

function cancelRequest(
uint256[] memory payload,
uint256 nonce
) external {
IStarknetMessaging(_starknetCoreAddress).cancelL1ToL2Message(
snaddress.unwrap(_starklaneL2Address),
felt252.unwrap(_starklaneL2Selector),
payload,
nonce
);
Request memory req = Protocol.requestDeserialize(payload, 0);
_cancelRequest(req);
emit CancelRequestCompleted(req.hash, block.timestamp);
}

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L243C3-L256C6

The cancelRequest function does not check whether the cancellation process has been initiated using the startRequestCancellation function. It also doesn't verify if the required waiting period has elapsed.

Besides, anyone can call the function.

Impact

By the design of Starknet, calling callingRequest() directly would fail without the proper initial processes. Also, anyone can call cancelRequest() even if they are not the owner of the token sought to be cancelled.

Tools Used

Manual review

Recommendations

Add checks in the cancelRequest function to ensure the proper cancellation process is followed.

Updates

Lead Judging Commences

n0kto Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

invalid-cancel-callable-by-anyone

The process to cancel a message is detailed here: https://docs.starknet.io/architecture-and-concepts/network-architecture/messaging-mechanism/#l2-l1_message_cancellation Since `startRequestCancellation` has the `onlyOwner`, only the owner can begin that process.

Appeal created

sabit Submitter
11 months ago
n0kto Lead Judge
11 months ago
n0kto Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

invalid-cancel-callable-by-anyone

The process to cancel a message is detailed here: https://docs.starknet.io/architecture-and-concepts/network-architecture/messaging-mechanism/#l2-l1_message_cancellation Since `startRequestCancellation` has the `onlyOwner`, only the owner can begin that process.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.