Validate Whitelisted Addresses
One of the core features of the Starklane bridge is its ability to whitelist specific collections for deposits and transfers. However, as I reviewed the whiteList function, I realized that there was no validation to ensure that the address being whitelisted was legitimate.
In a worst-case scenario, an attacker could add a malicious contract to the whitelist, allowing it to interact with the bridge and potentially exploit it for unauthorized actions.
Description: The whiteList function allows any address to be whitelisted without validation, potentially leading to unauthorized contracts being added to the whitelist and malicious operations.
Location: whiteList function in ethereum/src/IStarklane.sol
Issue: The whiteList function allows any address to be whitelisted without proper validation. Malicious or unintended addresses could be whitelisted, leading to security risks.
Impact: Malicious contracts could be whitelisted, leading to unauthorized token transfers or other malicious activities.
Tools used: Manual Review.
Recommendations: Add validation checks before whitelisting addresses to ensure they are valid and intended.
Potential changes: I proposed adding validation checks to ensure that only legitimate, intended contracts could be whitelisted. This simple check would reduce the risk of unauthorized contracts being granted access to the bridge.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.