Unsupported collections can be bridged incorrectly especially when the whitelist is disabled
Summary
Unsupported collections can be bridged incorrectly especially when the whitelist is disabled.
Vulnerability Details
The mapping _l1ToL2Addresses is responsible for storing the Starknet address of supported collections.
It is included in the Request struct which is later serialized before sending it, as part of the payload, on Starknet in Bridge:depositTokens():
However, the code doesn't properly handle the case when req.collectionL2 == 0, which will result in the impossibility to mint the corresponding Nft on Starknet.
Impact
Unsupported Nft collections can be bridged but, since _l1ToL2Addresses is't configured for them, they will fail on Starknet and the user must call cancelRequest() in another transaction and wait days to get his Nfts back.
Note that this is more probable to occur when the whitelist is disabled, since it is expected that whitelisted collections are properly configured by the owner.
Tools Used
Manual review
Recommendations
Revert if req.collectionL2 == 0 to avoid bridging unsupported or not-properly-configured collections.
Additionally, I reccomend setting the _l1ToL2Addresses for the collection inside whiteList() to avoid misconfigurations.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.