ArkProject: NFT Bridge

Summary

A vulnerability exists in Cairo version <2.7, specifically in version 2.6.3 currently used by the ArkProject. The deploy_syscall function in this version does not throw an error when the same contract is redeployed. This issue has been resolved in Cairo v2.7.0, but it remains a concern in the current environment.

Vulnerability Details

In Cairo version 2.6.3, the deploy_syscall function permits the re-deployment of the same contract multiple times without raising an error. Within the ArkProject, the function set_l1_l2_collection_mapping allows overwriting existing mappings and even setting collections to a zero address for removal:

If a mapping is removed and someone bridges the removed collection tokens from L1->L2 and withdraw_auto_from_l1 is invoked by sequencer, which subsequently calls deploy_erc721_bridgeable, it will permit redeployment of a contract already deployed. This behavior, caused by the bug in Cairo 2.6.3, allows for unintended redeployment on StarkNet, which is logically incorrect.

Impact

The issue in Cairo 2.6.3 allows multiple redeployments of the same contract, the redeployment issue in ArkProject could allow a malicious user to exploit the system. If an admin removes a collection mapping by setting it to zero due to violations by the collection, they might believe that it is permanently removed and cannot be redeployed on StarkNet. However, the malicious user could still redeploy the same contract when bridging from L1 to L2. This occurs because the sequencer calls withdraw_auto_from_l1, which triggers the redeployment by invoking deploy_erc721_bridgeable. This could lead to unintended redeployment of the malicious collection contract, undermining the admin's actions and potentially causing security and operational issues within ArkProject.

Recommendation

Update the project to the latest version of Cairo, preferably v2.7.0 or higher, where this issue has been resolved.