Potential Misconfiguration in L1-L2 Collection Mapping
The setL1L2CollectionMapping function in the Starklane contract includes a force parameter that allows for overwriting existing mappings between L1 and L2 collections. While this can be useful, it also poses a risk if misused, leading to incorrect mappings that could result in asset loss.
Description: The force parameter in setL1L2CollectionMapping could be misused, leading to incorrect or unintended mappings, which might result in asset loss across L1 and L2.
Location:setL1L2CollectionMapping function in ethereum/src/IStarklane.sol
Issue: The setL1L2CollectionMapping function allows an L1 to L2 address mapping to be set with a force parameter. Misuse of this parameter could lead to unintended or incorrect mappings, potentially causing loss of assets.
Impact: Incorrect mappings could cause assets to be locked or lost across L1 and L2.
Tools used: Manual Review.
Recommendations: Ensure the force parameter in setL1L2CollectionMapping is used only when necessary and document its use to prevent misconfiguration.
Potential changes: To ensure this powerful feature is used responsibly, I added warnings and checks whenever the force parameter is used. This would help prevent accidental or malicious misconfiguration.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.