ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

The enable function emits event regardless of whether the state of contract changes

sabit

Summary

The enable function emits event regardless of whether the state of contract changes.

Vulnerability Details

fn enable(ref self: ContractState, enable: bool) {
ensure_is_admin(@self);
self.enabled.write(enable);
self.emit(BridgeEnabled {
enable: enable
});
}

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/starknet/src/bridge.cairo#L348C8-L355C1

The issue here is that this event is emitted regardless of whether the state actually changed. It means that even if the enable parameter matches the current state of self.enabled, the function will still emit a BridgeEnabled event. This is because there is no check if the contract is enabled or not.

Impact

It could lead to misleading event logs where it appears the bridge status has changed when it actually hasn't.

The function will unnecessarily consume gas to emit an event for a non-change.

Tools Used

Manual review

Recommendations

Emit the event if the state actually changes. Here's a corrected version:

fn enable(ref self: ContractState, enable: bool) {
ensure_is_admin(@self);
let current_state = self.enabled.read();
if current_state != enable {
self.enabled.write(enable);
self.emit(BridgeEnabled {
enable: enable
});
}
}
Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.