Missed event for admin operations (2 findings) and lack of parameters checks (3 findings).
Hi 👋, this is my first report for Cyfrin so i hope to comply with all findings requirements..😬
Summary (1/5)
Missed event for admin operation in cairo functions
Vulnerability Details
The functions enable_white_list, set_bridge_l1_addr, set_erc721_class_hash and set_l1_l2_collection_mapping in bridge.cairo lacks of events for
administrative writing operations which is a best practice for admin operations. (Same functions in solidity already emit events)
Impact
Lost of critical records to audit administrator activities and keep transparency for third parties.
Tools Used
VSCode
Recommended Mitigation
Emit an event after change adminitrative variables status.
Summary (2/5)
Missed event for admin operation in solidity functions
Vulnerability Details
The function enableBridge in bridge.sol lacks of events for administrative writing operations which is a best practice for admin operations. (Same function in cairo already have events)
Impact
Lost of critical records to audit administrator activities and keep transparency for third parties.
Tools Used
VSCode
Recommended Mitigation
Emit an event after change adminitrative variables status.
Summary (3/5)
Unchecked parameter L1 bridge address
Vulnerability Details
The function set_bridge_l1_addr in bridge.cairo lack checks for address parameter exposing the platform to deny deposits for users in Starknet in case of
an admin set this value to zero (intentionally or unintentionally).
1)Missing assert for zero bridge address:
2)Then deposit_tokens will reject deposits for a zero address bridge:
Impact
Deposits denegation for users in case of an admin set this value to zero (intentionally or unintentionally).
Tools Used
VSCode
Recommended Mitigation
Add a nonzero check in set_bridge_l1_addr function for address parameter.
Summary (4/5)
Unchecked parameter class hash
Vulnerability Details
The function set_erc721_class_hash in bridge.cairo lack checks for zero class_hash parameter exposing the platform to deny request from L1 with
new L2 collections if is intentionally or unintentionally asigned to zero.
1)Missing assert for zero class hash:
2)Then, a request from L2 calls this L1 handler function in Starknet and handler calls ensure_erc721_deployment function:
3)Then ensure_erc721_deployment function will try to deploy a zero class hash ERC721 in L2 leading to reject the bridged NFT collection from L1:
Impact
The platform will fail to process L1 to L2 messages for new L2 collections in case of an admin set this value to zero (intentionally or unintentionally).
Tools Used
VSCode
Recommended Mitigation
Add a nonzero check in set_erc721_class_hash function.
Summary (5/5)
Unchecked parameters collections
Vulnerability Details
The function set_l1_l2_collection_mapping in bridge.cairo lack checks for zero collection_l1 and collection_l2 parameters exposing the platform to deny
requests from L1.
1)Missing asserts for zero addresses collections:
2)Then, a request from L2 calls this L1 handler function in Starknet and handler calls ensure_erc721_deployment function:
3)Then ensure_erc721_deployment function will try to check L1 and L2 address consistency and this check will fail:
Impact
The platform will deny bridged collections from L1 in case of an admin set this value to zero (intentionally or unintentionally).
Tools Used
VSCode
Recommended Mitigation
Add a nonzero check in set_l1_l2_collection_mapping function
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.