NFTBridge
60,000 USDC
View results
Submission Details
Severity: low
Invalid

Unsupported collections can be bridged incorrectly especially when the whitelist is disabled

Summary

Unsupported collections can be bridged incorrectly especially when the whitelist is disabled.

Vulnerability Details

The mapping _l1ToL2Addresses is responsible for storing the Starknet address of supported collections.

It is included in the Request struct which is later serialized before sending it, as part of the payload, on Starknet in Bridge:depositTokens():

req.collectionL2 = _l1ToL2Addresses[collectionL1];
uint256[] memory payload = Protocol.requestSerialize(req);
IStarknetMessaging(_starknetCoreAddress).sendMessageToL2{value: msg.value}(
snaddress.unwrap(_starklaneL2Address),
felt252.unwrap(_starklaneL2Selector),
payload
);

However, the code doesn't properly handle the case when req.collectionL2 == 0, which will result in the impossibility to mint the corresponding Nft on Starknet.

Impact

Unsupported Nft collections can be bridged but, since _l1ToL2Addresses is't configured for them, they will fail on Starknet and the user must call cancelRequest() in another transaction and wait days to get his Nfts back.

Note that this is more probable to occur when the whitelist is disabled, since it is expected that whitelisted collections are properly configured by the owner.

Tools Used

Manual review

Recommendations

Revert if req.collectionL2 == 0 to avoid bridging unsupported or not-properly-configured collections.

Additionally, I reccomend setting the _l1ToL2Addresses for the collection inside whiteList() to avoid misconfigurations.

function whiteList(
address collection,
snaddress collectionL2
bool enable)
external onlyOwner {
_whiteListCollection(collection, enable);
_setL1L2AddressMapping(collection, collectionL2, true);
emit CollectionWhiteListUpdated(collection, enable);
}
Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.