ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Lack of Uniqueness in Deployed Proxies

salem

Summary

The deployERC1155Bridgeable function always deploys a new implementation contract, but it doesn't ensure that each deployed proxy is unique or track the deployed proxies.

Vulnerability Details

// First deployment
address proxy1 = deployERC1155Bridgeable("https://example.com/token/{id}.json");
// Second deployment with the same URI
address proxy2 = deployERC1155Bridgeable("https://example.com/token/{id}.json");
// proxy1 and proxy2 are different addresses but point to different implementations
// with the same URI

Impact

  • Multiple proxies for the same URI can create phantom contracts that are not easily identifiable. If a user attempts to interact with a specific URI, they may inadvertently engage with a proxy that has a different implementation than expected.

  • Each invocation of deployERC1155Bridgeable generates a new implementation, regardless of whether an existing one with the same URI already exists. This leads to unnecessary contract deployments.

Tools Used

Manual Review

Recommendations

Implement a mapping to track the deployed proxies.

mapping(string => address) private _deployedProxies;
Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.