ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Incorrect whitelisting logic in _is_white_listed function

sabit

Summary

Incorrect whitelisting logic in _is_white_listed function causes unauthorized asset bridging.

Vulnerability Details

The _is_white_listed function contains a logic error that bypasses the whitelist check when the whitelist feature is disabled.

fn _is_white_listed(self: @ContractState, collection: ContractAddress) -> bool {

let enabled = self.white_list_enabled.read();

if (enabled) {

let (ret, _) = self.white_listed_list.read(collection);

return ret;

}

true

}

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/starknet/src/bridge.cairo#L482C2-L489C6

The issue is that the logic above allows all collections to be considered white-listed when white-listing is disabled. If enabled is true, the function correctly checks the white list. However, if enabled is false, the function always returns true, bypassing the white list entirely.

It means that when white-listing is disabled, the function considers all collections to be white-listed.

This has a direct impact on the deposit_tokens function, which calls _is_white_listed to check if a collection is authorized for bridging.

assert(_is_white_listed(@self, collection_l2), 'Collection not whitelisted');

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/starknet/src/bridge.cairo#L261

Due to this bug, when the whitelist is disabled, any collection can be deposited for bridging, regardless of its actual whitelist status.

Also, the is_white_listed function will return true even if a collection is not white listed when enabled is false.

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/starknet/src/bridge.cairo#L326

Impact

Users can deposit and bridge tokens from any collection.

is_white_listed will also return true for a on-whitelisted collection.

Tools Used

Manual review

Recommendations

Ensure that when white-listing is disabled, the function returns false for all collections.

fn _is_white_listed(self: @ContractState, collection: ContractAddress) -> bool {

let enabled = self.white_list_enabled.read();

if (enabled) {

let (ret, _) = self.white_listed_list.read(collection);

return ret;

}

false // Return false when white-listing is disabled

}

Updates

Lead Judging Commences

n0kto Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!