ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Excess Fee Vulnerability in `depositTokens` Function of `Bridge.sol`

pelz

Summary

The depositTokens function in the Bridge.sol contract sends a message to the Starknet layer 2 via IStarknetMessaging.sendMessageToL2. The issue arises because the function does not calculate the required fees for sending the message, leading to a situation where users can send excess funds and lose them in fees. This can result in users overpaying and losing funds unnecessarily.

Vulnerability Details

The relevant code snippet from the depositTokens function is:

IStarknetMessaging(_starknetCoreAddress).sendMessageToL2{value: msg.value}(
snaddress.unwrap(_starklaneL2Address),
felt252.unwrap(_starklaneL2Selector),
payload
);

In this code, the function sends the entire msg.value as the fee for sending the message to Starknet, without calculating the exact fee required. As a result, users might inadvertently send more ETH than necessary, leading to loss of funds.

Proof of Concept (PoC)

Consider a scenario where a user sends 1 ETH as fees, which is excessive for the operation:

function test_depositTokenERC721_ExcessFees() public {
IERC721MintRangeFree(erc721C1).mintRangeFree(alice, 0, 10);
uint256[] memory ids = new uint256[](2);
ids[0] = 0;
ids[1] = 9;
uint256 salt = 0x1;
snaddress to = Cairo.snaddressWrap(0x1);
vm.startPrank(alice);
IERC721(erc721C1).setApprovalForAll(address(bridge), true);
// Pay 1 ether for fees which is excessive
IStarklane(bridge).depositTokens{value: 1 ether}(
salt,
address(erc721C1),
to,
ids,
false
);
vm.stopPrank();
}

In this test, the user pays 1 ETH for fees, which is more than necessary. Since the function does not calculate or refund the excess, the user loses the excess amount.

Impact

  • Loss of Funds: Users may overpay the fee, resulting in unnecessary loss of funds.

Tools Used

  • Manual Review

  • Foundry (for testing PoC)

Recommendations

  1. Implement Fee Calculation: The contract should calculate the exact fee required for sending the message to Starknet. This can be done by querying the Starknet messaging contract for the required fee or implementing a fee estimation mechanism.

Conclusion

The depositTokens function in Bridge.sol currently does not properly calculate the fees required for sending a message to Starknet, leading to potential overpayment and loss of funds for users. By implementing a fee calculation mechanism and refunding excess fees, the contract can prevent unnecessary losses and improve user experience.

Updates

Lead Judging Commences

n0kto Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Appeal created

pelz Submitter
11 months ago
n0kto Lead Judge
11 months ago
n0kto Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.