Summary

The StarkNet-Ethereum bridge allows users to set the use_withdraw_auto flag to true on StarkNet for automatic token withdrawals on Ethereum. However, the Ethereum contract always reverts when this flag is enabled due to the feature being disabled on the Ethereum side. This misalignment prevents users from canceling or completing withdrawals on Ethereum

Vulnerability Details

In the current implementation, users can enable the use_withdraw_auto flag on StarkNet when depositing tokens to the Ethereum. However, when the withdrawal process is attempted on the Ethereum side, the contract reverts if use_withdraw_auto is enabled, as this feature was intentionally disabled following an audit.

This results in a situation where users are led to believe that automatic withdrawals are possible, but they are unable to complete the process or cancel the withdrawal on Ethereum. The feature is effectively broken, as the Ethereum contract throws a NotSupportedYetError whenever it encounters the use_withdraw_auto flag.

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/starknet/src/bridge.cairo#L242

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L172

Impact

The inability to cancel or complete automatic withdrawals on Ethereum while still allowing the option to enable the feature on StarkNet creates a serious usability issue. Users who enable use_withdraw_auto may find themselves stuck, unable to retrieve their tokens due to the withdrawal process consistently reverting on Ethereum

Tools Used

manual

Recommendations

Disable use_withdraw_auto on starknet