ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

No checks for whether the provided `msg.value` is sufficient in `depositTokens`

n4nika

Summary

There are no checks in depositTokens for whether msg.value is sufficient for bridging causing transfers to fail and needing admin intervention.

Vulnerability Details

The msg.value in depositTokens is used to pay for gas on L2. If this value is set too low, bridging will not be successful.
Looking at the starknet documentation for messaging (https://docs.starknet.io/architecture-and-concepts/network-architecture/messaging-mechanism/) at L1 → L2 message fees it states:

An L1 → L2 message induces a transaction on L2, which, unlike regular transactions, is not sent by an account. This calls for a different mechanism for paying the transaction’s fee, for otherwise the sequencer has no incentive of including L1 handler transactions inside a block.

To avoid having to interact with both L1 and L2 when sending a message, L1 → L2 messages are payable on L1, by sending ETH with the call to the payable function sendMessageToL2 on the Starknet Core Contract.

The sequencer takes this fee in exchange for handling the message. The sequencer charges the fee in full upon updating the L1 state with the consumption of this message.

The fee itself is calculated in the same manner as "regular" L2 transactions. You can use the CLI to get an estimate of an L1 → L2 message fee.

This means the fee sent needs to be sufficient for the sequencer to include it in a block on L2.

Impact

Since now the msg.value can be set arbitrarily and users may not know how much fees they need to send, if they do not send enough accidentally, their NFT will be stuck in the L1 bridge. This is because the NFT will be sent to the bridge on L1 but never minted in the bridge on L2.
Now it is possible to retrieve the NFT again by going through the cancelMessage steps on L1 but that takes a few days (five days) as there is a cooldown for cancellation. This means the user's NFT will be locked for at least 5 days causing major inconvenience.

Tools Used

Manual review

Recommended Mitigation

In order to prevent this, I would recommend adding a fee-calculation mechanism on the L1 side, checking if the provided msg.value is sufficient to bridge the requested NFTs.

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-not-enough-fee-can-block-NFT

Impact: Medium/High. Need an admin to start a cancellation and wait for 5 days once done. DoS > 5 days. Likelyhood: Low. Everytime a wallet/or a user do not send enough gas

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.