ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Unsafe ERC721 transfer in Starknet bridge contract

mikb

Summary

bridge uses an unsafe transfer_from method for ERC721 tokens during the withdrawal process, which could lead to permanent loss if the recipient doesn't support ERC721 tokens.

Vulnerability Details

In the withdraw_auto_from_l1 function of the bridge contract in cairo, the following code is used to transfer NFTs:

if is_escrowed {
IERC721Dispatcher { contract_address: collection_l2 }
.transfer_from(from, to, token_id);
}

This uses the standard transfer_from method instead of the safer safe_transfer_from method recommended when dealing with ERC721 tokens.

Impact

If the recipient (to address) is a contract that doesn't implement the ERC721Receiver interface, the NFT could be permanently lost.

Tools Used

Manual review

Recommendations

Implement and use a safe_transfer_from method for ERC721 transfers.

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.