[M-3] Access control issue in `escrow_deposit_tokens()` in `bridge.cairo`
Summary
The `escrow_deposit_tokens` function in the bridge.cairo currently lacks proper access control mechanisms, allowing any user to call the function. This oversight presents several risks, including unauthorized deposits, potential exploitation by malicious actors, lack of accountability, and possible regulatory non-compliance.
Vulnerability Details
Vulnerability Type: Improper Access Control (Function Misuse)
The escrow_deposit_tokens function can be invoked by any external address. This lack of restriction means that the function does not check whether the caller has the necessary permissions or authorization to perform the deposit action. As a result, this opens up several avenues for exploitation:
Unauthorized Deposits: Any user can deposit tokens on behalf of another user without their consent or knowledge.
Spam and DoS Attacks: The function can be spammed with unauthorized or unnecessary transactions, potentially leading to network congestion and increased gas fees.
Economic Manipulation: Malicious actors could exploit the function to manipulate the token supply or escrow conditions, leading to unintended economic outcomes.
Code :
Impact
Severity: High
Likelihood: Medium to High
Recommendations
Implementat access control here, or make the function internal, allowing the only bridge to call this function.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.