ArkProject: NFT Bridge

Summary

If a hard fork occurs on the destination chain, the user can withdraw NFTs on both sides - the old destination chain and the new forked one.

Vulnerability Details

If a hard fork occurs on the destination chain, the user can get more NFTs. There are two possible ways for this to happen.

The first one is if the user deposits L1 -> L2, his NFT is in the escrow, later when he deposits L2 -> L1, he will get his NFT from the escrow. The problem is if hard fork occurs, there will be a new chain with NFTs in the escrow, user can easily withdraw on both (old and new) chains and get two NFTs.

Another possible scenario is if a user deposit his NFT on L2 via deposit_tokens. He should recieve a new minted NFT on the L1 destination chain. But if a hard fork on the destination chain occurs, the user can use his request to claim his new NFT with withdrawTokens. The problem is he can claim two NFTs. He will claim his NFT on the old chain as expected, however, he will be able to claim another NFT on the new chain.

Impact

Users get NFTs on two chains. If a user has one NFT, he gets one more, but users are expected to deposit multiple NFTs, which means they will have profit to claim on both chains.

Tools Used

Manual Review

Recommendations

Cash the chainId in the constructor and check if the current chainId equals the cashed one inside withdrawTokens.