ArkProject: NFT Bridge

Github

https://github.com/Cyfrin/2024-07-ark-project/blob/main/apps/blockchain/ethereum/src/Escrow.sol

Summary

Airdrops can be permanently lost if the user's token is in the escrow contract during the airdrop distribution.

Vulnerability Details

User tokens can end up in the escrow contract in two ways:

1. Bridging from L1 to L2: When a user deposits their token into escrow to bridge from L1 to L2, the token is locked in escrow, and a new token is minted on L2.

2. Failed Deposit Request: When a user requests a deposit into escrow to bridge from L1 to L2, but the request fails, leaving the token in escrow. In this case, the user must wait 5 days plus the team's response time to withdraw the token from escrow.

If the user's token is in escrow for either of these reasons and an airdrop is distributed to that collection, the airdrop will be sent to the escrow contract instead of the user's account. Currently, there appears to be no way to withdraw the airdrop from the escrow contract.

Impact

Users may permanently lose airdrops if their tokens are in escrow.

Proof of Concept

Consider a scenario where a `20k$` airdrop is scheduled for a specific time or day for a collection, and the protocol distributes it to all holders. If the user's NFT is in escrow, the airdrop would go to the escrow contract. Since there is no mechanism to withdraw tokens from escrow, the airdrop funds/tokens will be stuck in escrow permanently.

Recommendation

• Implement a solution that allows users to receive airdrops even if their tokens are in escrow.

• Alternatively, add a restricted function that enables users to withdraw stuck airdrops from the escrow contract.