ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

The Bridge contract could allow unauthorized token deposits, effectively bypassing the whitelist mechanism

sabit

Summary

The Bridge contract could allow unauthorized token deposits, effectively bypassing the whitelist mechanism due to a flaw in _isWhiteListed function.

Vulnerability Details

This vulnerability stems from an incorrect implementation of the _isWhiteListed function, which is crucial for enforcing the whitelist restrictions.

function _isWhiteListed(
address collection
) internal view returns (bool) {
return !_whiteListEnabled || _whiteList[collection];
}

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L334C5-L338C6

This implementation has a logical flaw:

  1. When _whiteListEnabled is false, the function always returns true, regardless of whether the collection is in the whitelist or not.

  2. This means that when the whitelist feature is disabled, all collections are considered whitelisted, which is contrary to the intended security model.

Here is a quick test in Remix IDE to show the flaw in the function. Paste the below code into Remix and pass in any address as the collection address:

// SPDX-License-Identifier: GPL-3.0
pragma solidity ^0.8.0;
contract Whitelist {
bool _whiteListEnabled;
mapping(address => bool) _whiteList;
function _isWhiteListed(
address collection
) external view returns (bool) {
return !_whiteListEnabled || _whiteList[collection];
}
}

The function would always return "true" even if the collection address passed in the parameter is never whitelisted.

The depositTokens function, which is responsible for initiating token deposits into the bridge, checks the whitelist status using this flawed function:

if (!_isWhiteListed(collectionL1)) {
revert NotWhiteListedError();
}

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L100C8-L102C10

Due to the bug in _isWhiteListed, this check can be bypassed when the whitelist is disabled, allowing any collection to be deposited into the bridge.

Proof of Concept:

  1. Set _whiteListEnabled to false using the enableWhiteList function.

  2. Attempt to deposit tokens from a non-whitelisted collection using the depositTokens function.

  3. The deposit will succeed, bypassing the intended whitelist check.

Impact

  • Fake collections can be deposited into the bridge named Everai NFT collection when the whitelist is disabled.

  • Malicious actors can deposit tokens from unauthorized or harmful collections into the bridge when the whitelist is disabled.

Tools Used

Manual review

Recommendations

Modify the _isWhiteListed function to correctly implement the whitelist logic:

function _isWhiteListed(address collection) internal view returns (bool) {
return _whiteListEnabled && _whiteList[collection];
}
Updates

Lead Judging Commences

n0kto Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Appeal created

sabit Submitter
11 months ago
n0kto Lead Judge
11 months ago
n0kto Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.