ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Restricted access to request cancellation may lead to locked user funds

mikb

Summary

In Bridge.sol, startRequestCancellation function is currently restricted to the contract owner, which could lead to user funds being locked if the owner is unavailable or unresponsive.

Vulnerability Details

  1. startRequestCancellation function is restricted to the owner:

function startRequestCancellation(
uint256[] memory payload,
uint256 nonce
) external onlyOwner {
// ...
}

  1. While cancelRequest function is open to anyone:

function cancelRequest(
uint256[] memory payload,
uint256 nonce
) external {
// ...
}

Impact

Users may be unable to initiate the cancellation process if the owner is unavailable, leading to locked funds.

Tools Used

Manual review

Recommendations

  1. Remove the onlyOwner modifier from startRequestCancellation:

function startRequestCancellation(
uint256[] memory payload,
uint256 nonce
) external {
// ...
}
Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.