ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Use `encodeCall` instead of `encodeWithSelector`

tigerfrake

Summary

deployERC721Bridgeable() and deployERC1155Bridgeable() functions uses abi.encodeWithSelector to encode the dataInit function call. This method however, doesn't provide type checking of function arguments.

Vulnerability Details

deployERC721Bridgeable():

bytes memory dataInit = abi.encodeWithSelector(
ERC721Bridgeable.initialize.selector,
abi.encode(name, symbol)
);

deployERC1155Bridgeable():

bytes memory dataInit = abi.encodeWithSelector(
ERC1155Bridgeable.initialize.selector,
abi.encode(uri)
);

As seen, the dataInit is encoded without any type checking.

abi.encodeCall will check the arguments type and gives error if not same.

Impact

Missing type check can lead to unexpected behavior.

Tools Used

Manual Review

Recommendations

Consider using encodeCall to generate dataInit.

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.