ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of Contract Verification in setStarklaneL2Address Function

cybrid

Summary

The setStarklaneL2Address function in the Starklane contract does not include verification to ensure that the provided L2 address is a valid contract. This omission could lead to interactions with invalid addresses, resulting in potential transaction failures or unintended behaviors in the protocol.

Vulnerability Details

The setStarklaneL2Address function is responsible for setting the _starklaneL2Address variable, which is later used in various protocol interactions. However, the function currently lacks a mechanism to verify that the provided L2 address corresponds to a valid smart contract.

Potential Issues:

Incorrect or Malicious Address: Without verification, an incorrect or malicious address could be set, leading the protocol to attempt interactions with an address that is either non-existent or not a smart contract.
Failed Interactions: Functions that rely on _starklaneL2Address may fail if the address does not represent a contract, causing transaction failures and possible disruptions in the protocol.

Impact

The lack of validation can cause critical protocol functions to fail if they attempt to interact with a non-contract address. This could lead to a range of issues, including stalled transactions, loss of funds, and reduced reliability of the protocol. The risk is particularly high in scenarios where the address is set incorrectly due to user error or malicious input.

Tools Used

Manual Code Review

Recommendations

Implement Contract Verification:

Enhance the setStarklaneL2Address function by adding a check to ensure the address provided is a contract.
Use the extcodesize opcode to verify the presence of bytecode at the provided address, confirming it is a contract.

Code Enhancement Example:

function setStarklaneL2Address(uint256 l2Address) public onlyOwner {

address starknetCoreAddress = Cairo.snaddressWrap(l2Address);

// Check if the address is a contract

require(isContract(starknetCoreAddress), "Invalid L2 address: not a contract");

_starklaneL2Address = starknetCoreAddress;

}

function isContract(address addr) internal view returns (bool) {

uint256 size;

assembly {

size := extcodesize(addr)

}

return size > 0;

}

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.