No checks on token_id uniqueness
Summary
No checks on token_id uniqueness.
Vulnerability Details
The function processes a list of token IDs without verifying whether each token_id is unique within the request. Here's the relevant part of the code:
The problem here is that the same token_id could appear multiple times in req.ids, and the function would process it each time without any checks.
Suppose the request contains token IDs [1, 2, 1], and all these tokens are initially escrowed by the bridge contract.
The first occurrence of token 1 is processed: It's successfully transferred to the recipient.
Token 2 is processed: It's successfully transferred.
The second occurrence of token 1 is processed: The transfer attempt will fail because the bridge no longer owns this token.
Impact
The function will attempt to transfer the same token again. This will fail because the bridge contract no longer owns the token after the first transfer.
Tools Used
Manual review
Recommendations
Implement checks for token ID uniqueness within each request.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.