`depositTokens` does not return the message nonce making it non-trivial to cancel them
Summary
Canceling a message through startRequestCancellation and cancelRequest is virtually impossible for a non-sophisticated user because he has no knowledge about the needed nonce.
Vulnerability Details
In order to call the cancel functions (startRequestCancellation and cancelRequest), the nonce used when sending the message is needed. This nonce is returned by the call to sendMessageToL2 in depositTokens.
The problem is that this nonce is not returned by depositTokens. This means that the user calling it has no clue about what the used nonce was as it is starknet-internal.
Impact
Since the user does not know what their nonce was, they also cannot use the functionality provided to cancel failed messages.
Now the nonce is emitted in an event by the StarknetMessaging contract but finding the correct event if multiple bridgings have been done is non-trivial especially for a non-sophisticated user.
Proof of Concept
As shown in Vulnerability Details, depositTokens does not return anything, showing that the nonce provided by starknet is just ignored instead of being returned to the user.
Tools Used
Manual review
Recommended Mitigation
In order to make the cancel-functionality actually usable, I would recommend returning the nonce to the user when calling depositTokens.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.