Bridged NFTs on Starknet Cannot Be Rescued If Message Is Never Consumed
Summary
Whilst there is a mechanism via the Starknet bridge to rescue NFTs sent to escrow if the L2 message does not send, if the message on L1 is never consumed, there is no mechanism to ever release the corresponding NFT from escrow.
Vulnerability Details
bridge.cairo.deposit_tokens() calls escrow_deposit_tokens() to transfer bridged Starknet based NFTs to the escrow contract. However, if the message sent on line 295 is never consumed, the NFT will never leave escrow and no ARK NFT will be minted on L1.
This could occur through manual error, technical malfunction or key loss.
Impact
Users of the ARK protocol would unnecessarily have their bridged NFTs locked from access if there is an error in the submission arguments to bridge to L1.
Tools Used
Manual inspection
Recommendations
Add an expiry time after which any user can call a function on L1 to consume the original old message on L1 and initiate a transaction to L2 to send the escrowed NFT back to the original depositor.
Lead Judging Commences
invalid-no-L2-cancel-mecanism-without-any-root-cause
Lack of feature is not a bug. Moreover that’s more something that the Starknet Core should implement since there is no way for Ark to have trusted data, preventing double spending. Finally, there is no real root cause in those reports, only suppositions that something bad can happen.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.