L2 Address Sanity Check
Summary
In StarkNet users do not have addresses. Transactions sent to the network have the 0 address as caller.
In order to identify accounts via addresses, each user deploys his account contract and interacts with
contracts.
Vulnerability Details
The depositTokens() function of the L1Bridge contract allows users to deposit with the to address
set to 0. The execution of withdraw_auto_from_l1 initiated by the l1_handler on l2 however will fail as
minting NFT for the zero address will revert or token will get burned.
Impact
As a result the deposited NFT on L1 will be locked in
the escrow forever.
Tools Used
Foundry
Recommendations
The code should have a check on L2:
• to != 0 to ensure that the address is non-zero.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Appeal created
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.