Stuck of funds in case users use NFTs whose holders receive rewards
Summary
Stuck of funds in case users use NFTs whose holders receive rewards
Vulnerability Details
When a user deposits L1 -> L2 or the opposite, the NFT stays in the escrow on the source chain in case the user withdraws on that chain later, so he can get his NFT back from the escrow. A different type of NFT can be deposited into the protocol, but we will look at one particular one.
There are NFTs whose holders receive rewards. If a user's NFT is in escrow, the holder becomes the escrow contract and rewards will be sent there. The user is unable to claim his rewards on the destination chain and also the rewards get stuck in the contract.
Impact
Stuck of funds
Tools Used
Manual Review
Recommendations
Solving this problem would be quite complex, the easiest solution will be to not allow this type of NFT but if you want the users to use them, a possible solution is to store in mapping the NFT holder and its rewards, and another function to sends the rewards from the source chain to the destination chain and on the destination chain users to claim them.
Lead Judging Commences
invalid-NFT-with-priviledges-could-lose-them
Loss of rewards not associed to the protocol: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity
Appeal created
invalid-NFT-with-priviledges-could-lose-them
Loss of rewards not associed to the protocol: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.