Users lose funds if `msg.value` for the deposit is less than 20k wei
Summary
Users lose funds if msg.value for the deposit is less than 20k wei.
Vulnerability Details
Quoting L1-L2 messaging section from Cairo book:
It's important to note that we have
{value: msg.value}. In fact, the minimum value we've to send here is 20k wei, due to the fact that the StarknetMessaging contract will register the hash of our message in the storage of Ethereum.
The problem is inBridge::depositTokens(...), we don't check if the forwarded value is at least 20k wei, i.e. if a user forwards less than that it will be stuck in the bridge forever:
Impact
Deposits that forwards less than 20k wei will revert because there's not enough gas to register the hash of the message in storage
The value forwarded is stuck in the bridge and lost.
Tools Used
Manual review.
Recommendations
Lead Judging Commences
finding-not-enough-fee-can-block-NFT
Impact: Medium/High. Need an admin to start a cancellation and wait for 5 days once done. DoS > 5 days. Likelyhood: Low. Everytime a wallet/or a user do not send enough gas
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.