ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Incomplete Handling of ERC1155 Token Standard

axicnode398

Description:
The current implementation only supports ERC721 tokens. There are TODO comments indicating the intention to add ERC1155 support, but this is not yet implemented.

Location: Throughout the contract, particularly in the withdraw_auto_from_l1 and deposit_tokens functions in apps/blockchain/starknet/src/bridge.cairo.

Issue:
The lack of support for ERC1155 could limit the functionality of the bridge, and the partial implementation might introduce bugs if mistakenly assumed to be complete.

Impact:
Without full ERC1155 support, the bridge might fail to handle certain token types correctly, leading to potential losses or operational failures.

Tools used: Manual Review.

Recommendations:
Complete the implementation for ERC1155 support or clearly document that the current version only supports ERC721.

Potential changes:
Extend the functions to handle ERC1155 tokens or explicitly disallow them until support is implemented.

#[l1_handler]

fn withdraw_auto_from_l1(

ref self: ContractState,

from_address: felt252,

req: Request

) {

ensure_is_enabled(@self);

assert(self.bridge_l1_address.read().into() == from_address, 'Invalid L1 msg sender');

// New: Check CollectionType to ensure only ERC721 is handled

let _ctype = collection_type_from_header(req.header);

assert(_ctype == CollectionType::ERC721, 'Only ERC721 tokens are supported currently');

let collection_l2 = ensure_erc721_deployment(ref self, @req);

// Rest of the function...

}

fn deposit_tokens(

ref self: ContractState,

salt: felt252,

collection_l2: ContractAddress,

owner_l1: EthAddress,

token_ids: Span<u256>,

use_withdraw_auto: bool,

use_deposit_burn_auto: bool,

) {

ensure_is_enabled(@self);

assert(!self.bridge_l1_address.read().is_zero(), 'Bridge is not open');

let from = starknet::get_caller_address();

assert(_is_white_listed(@self, collection_l2), 'Collection not whitelisted');

// New: Ensure only ERC721 tokens are deposited

let ctype = CollectionType::ERC721;

assert(ctype == CollectionType::ERC721, 'Only ERC721 tokens are supported currently');

// Existing logic...

}

Updates

Lead Judging Commences

n0kto Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Assigned finding tags:

invalid-ERC1155-not-in-scope

```compatibilities: Blockchains: - Ethereum/Starknet Tokens: - [ERC721](www.tokenstandard.com) ``` ``` function depositTokens( uint256 salt, address collectionL1, snaddress ownerL2, uint256[] calldata ids, bool useAutoBurn ) external payable { if (!Cairo.isFelt252(snaddress.unwrap(ownerL2))) { revert CairoWrapError(); } if (!_enabled) { revert BridgeNotEnabledError(); } CollectionType ctype = TokenUtil.detectInterface(collectionL1); if (ctype == CollectionType.ERC1155) { @> revert NotSupportedYetError(); } … } ```

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.