startRequestCancellation function is not callable by original depositor
Summary
startRequestCancellation function should be callable by original depositor also. Currently it is callable exclusively by owner only.
Vulnerability Details
startRequestCancellation function should be callable by original depositor also. Currently it is callable exclusively by owner only. The user then has to contact the admin if, for example, the transaction on L2 side reverted for any reason. - https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L226
Impact
This causes a definite inconvenience and even potential opportunity loss to the user whose NFT can remain stuck in escrow indefinitely on L1 till he/she can get in contact with the admin for starting message cancellation on L1.
Tools Used
Manual review
Recommendations
Remove onlyOwner modifier from startRequestCancellation. Inside the function, have the following checks
The 5th element of the payload is the original depositor and initiator of the transaction and can thus initiate cancellation of the transaction ref https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Protocol.sol#L224
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.