60,000 USDC
Submission Details
Severity:
Zero Address as L2 Destination in L1 to L2 Cross-Chain Transactions
Summary
When facilitating cross-chain transactions from Layer 1 (L1) to Layer 2 (L2), the protocol allows the use of the zero address (0x0) as a valid destination address on L2. This practice poses significant risks and should be disallowed.
Vulnerability Details
Lack of Zero Address Validation in depositTokens()
Impact
Asset Loss: Funds or tokens sent to the zero address on L2 may become irretrievable, resulting in permanent loss of assets.
POC
In test/Bridge.t.sol, add the following code:
function test_depositTokenERC721ToZeroAddress() public {
IERC721MintRangeFree(erc721C1).mintRangeFree(alice, 0, 10);
uint256[] memory ids = new uint256[](2);
ids[0] = 0;
ids[1] = 9;
uint256 salt = 0x1;
snaddress to = Cairo.snaddressWrap(0x0);
vm.startPrank(alice);
IERC721(erc721C1).setApprovalForAll(address(bridge), true);
IStarklane(bridge).depositTokens{value: 30000}(
salt,
address(erc721C1),
to,
ids,
false
);
vm.stopPrank();
assertEq(IERC721(erc721C1).ownerOf(ids[0]), address(bridge));
assertEq(IERC721(erc721C1).ownerOf(ids[1]), address(bridge));
}
The test will pass.
Tools Used
Manual Review
Recommendations
Implement strict address validation in depositTokens():
function depositTokens(
uint256 salt,
address collectionL1,
snaddress ownerL2,
uint256[] calldata ids,
bool useAutoBurn
)
external
payable
{
+ require(ownerL2 != Cairo.snaddressWrap(0x0), "Zero address");
........................
Prize pool breakdown
Total prize
60,000 USDC
nSLOC
2,30126 USDC / LOC
50,000 USDC
5,500 USDC
4,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.