ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of Mechanism to Remove Addresses from Whitelist in Starklane Contract

NoodleDonn212

Summary

The Starklane contract is designed to manage a whitelist of addresses but currently lacks functionality to remove addresses once they have been added. This oversight can lead to potential security risks and operational challenges, particularly if an address needs to be delisted due to unforeseen circumstances.

Vulnerability Details

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L284

The contract does not provide a mechanism for removing addresses from the whitelist.

If an address becomes compromised or behaves maliciously, it cannot be removed from the whitelist, posing a security risk.

Impact

A compromised or malicious address on the whitelist can exploit its status to perform unauthorized actions, potentially affecting the integrity and security of the system.

Without the ability to remove addresses, managing and maintaining an accurate and secure whitelist becomes difficult.

The inability to adapt quickly in response to security incidents can lead to prolonged exposure and potential exploitation.

Failure to address compromised addresses promptly may damage trust in the system's reliability and security.

Tools Used

Manual review

Recommendations

Implement Removal Functionality:

Introduce a function that allows for removal of addresses from the whitelist.
Ensure this function is protected by appropriate access control (e.g., onlyOwner) to prevent unauthorized use.

function removeFromWhitelist(address collection) external onlyOwner {

require(_whiteList[collection], "Collection not whitelisted");

// Remove collection from _collections array

for (uint256 i = 0; i < _collections.length; i++) {

if (_collections[i] == collection) {

_collections[i] = _collections[_collections.length - 1];

_collections.pop();

break;

}

// Update whitelist mapping

_whiteList[collection] = false;

}

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

invalid-unwhitelist-on-L1-do-not-pop-from-array

LightChaser: Low-19, Gas-10

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.