`use_withdraw_auto` option in Starknet deposits risks permanent asset lock
Summary
A critical mismatch exists between the deposit function on the Starknet side and the withdrawal function on the Ethereum side of the bridge. This mismatch can lead to assets being permanently locked in the Starknet bridge when users attempt to use an unsupported auto-withdrawal feature.
Vulnerability Details
The vulnerability stems from a discrepancy between the Starknet and Ethereum sides of the bridge:
bridge.cairo- Starknet Side (Deposit Function):
Bridge.sol- Ethereum Side (Withdraw Function):
The Starknet deposit function allows setting use_withdraw_auto to true, but the Ethereum withdraw function explicitly reverts if this option is set, making it impossible to withdraw these assets.
Impact
Users who deposit tokens on Starknet with use_withdraw_auto = true will have their assets permanently locked in the bridge, as withdrawals on Ethereum will always revert for these deposits.
Tools Used
Manual review
Recommendations
Implement a check in the Starknet deposit_tokens function to disallow true for use_withdraw_auto.
Lead Judging Commences
finding-auto_withdrawn-L2-NFT-stuck
Impact: High, token will be stuck in L2 bridge. Likelyhood: Very low, option is available in L2 but has been disabled since March on L1, would be almost a user error.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.