ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Bridged NFTs from L2 to L1 with enabled `use_withdraw_auto` cannot be withdrawn

gajiknownnothing

Summary

When bridging NFTs from L2 to L1 with the use_withdraw_auto flag enabled, users are unable to withdraw these NFTs on L1 due to the auto-withdraw functionality being disabled in the withdrawTokens() function of the L1 bridge contract.

Vulnerability Details

When bridging NFTs from L2 to L1, the use_withdraw_auto flag can be set to true. This flag will be encoded into the request header and sent to L1:

File: bridge.cairo

242: fn deposit_tokens(

243: ref self: ContractState,

244: salt: felt252,

245: collection_l2: ContractAddress,

246: owner_l1: EthAddress,

247: token_ids: Span<u256>,

248:> use_withdraw_auto: bool,

249: use_deposit_burn_auto: bool,

250: ) {

...

276: let req = Request {

277:> header: compute_request_header_v1(ctype, use_deposit_burn_auto, use_withdraw_auto),

278: hash: compute_request_hash(salt, collection_l2, owner_l1, token_ids),

However, the withdrawTokens() function on the L1 bridge contract checks the request header. If use_withdraw_auto is enabled, it attempts to use the auto-withdraw functionality, which has been disabled:

File: Bridge.sol#withdrawTokens

169: if (Protocol.canUseWithdrawAuto(header)) {

170:> // 2024-03-19: disabled autoWithdraw after audit report

171:> // _consumeMessageAutoWithdraw(_starklaneL2Address, request);

172:> revert NotSupportedYetError();

173: } else {

174: _consumeMessageStarknet(_starknetCoreAddress, _starklaneL2Address, request);

175: }

Impact

Users who bridge NFTs from L2 to L1 with the use_withdraw_auto flag enabled will be unable to withdraw their NFTs on L1, results in locking these NFTs.

Tools Used

vscode

Recommendations

Ensure use_withdraw_auto is constantly set to false until the protocol supports this feature.

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-auto_withdrawn-L2-NFT-stuck

Impact: High, token will be stuck in L2 bridge. Likelyhood: Very low, option is available in L2 but has been disabled since March on L1, would be almost a user error.

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.