ArkProject: NFT Bridge

Summary

The ensure_erc721_deployment in the bridge.cairo function lacks proper access control, allowing any user to mint ERC-721 tokens and whitelist collections without authorization. Additionally, the function updates critical storage mappings, l1_to_l2_addresses and l2_to_l1_addresses, which are widely read and used throughout the contract. This lack of access control could lead to unauthorized changes in these mappings, potentially affecting other contract functions such as deposit_tokens, and compromising the contract’s overall integrity.

Vulnerability Details

Location: ensure_erc721_deployment function

The ensure_erc721_deployment function does not include access control checks, making it vulnerable to misuse. Specifically:

1. Unauthorized Minting: Without access controls, any user can invoke this function, leading to unauthorized minting of ERC-721 tokens. This can inflate the token supply and undermine the token’s intended economic model.

2. Unauthorized Whitelisting: Users can whitelist any collection, which might introduce unvetted or malicious collections into the contract ecosystem. This could damage the platform’s reputation and trustworthiness.

3. Critical Mapping Updates: The function updates important storage mappings (l1_to_l2_addresses and l2_to_l1_addresses) without validation. This could lead to unauthorized or erroneous updates, impacting functions that depend on these mappings, such as deposit_tokens.

4. Fake Requests: The function does not validate the request struct parameters, allowing users to craft malicious requests that could exploit the contract’s functionality.

Impact

• Severity: Critical

• Likelihood: High

How to Exploit

1. Unauthorized Minting:

   • Exploit: Any user can call the ensure_erc721_deployment function. By creating a fake request struct, they can mint ERC-721 tokens without authorization.

   • Steps:

     1. Deploy a contract or use an existing one to call ensure_erc721_deployment.

     2. Craft a request struct with desired token data.

     3. Call the function with this fake request, leading to the minting of new tokens.

2. Unauthorized Whitelisting:

   • Exploit: A user can whitelist any collection by calling the function with an unverified or malicious collection address.

   • Steps:

     1. Call ensure_erc721_deployment with parameters that include the address of an unvetted or malicious collection.

     2. This adds the collection to the whitelist, allowing it to interact with the contract.

3. Manipulation of Critical Mappings:

   • Exploit: Unauthorized updates to l1_to_l2_addresses and l2_to_l1_addresses could be performed by exploiting the function's lack of access control.

   • Steps:

     1. Call ensure_erc721_deployment with data that alters the mappings.

     2. This could affect the behavior of other contract functions relying on these mappings, such as deposit_tokens.

4. Fake Requests:

   • Exploit: Users can create and submit fake request structs with arbitrary or harmful data, exploiting the lack of validation in the function.

   • Steps:

     1. Construct a request struct with malicious or erroneous data.