ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

NFTs will stuck forever if user deposits in L2 using use_withdraw_auto true

jokrsec

Summary

Auto withdraw support have been removed. L1 bridge handled this case but L2 bridge doesn't. Inconsistence auto withdraw check between both bridges

Vulnerability Details

Auto withdraws are disabled in L1 bridge contract. If any request with auto withdraw set will revert during withdraw. But this case is not being handled on L2 bridge. So if users deposit their NFTs on L2 with auto withdraw flag set, withdrawTokens in L1 bridge would always revert. Due to this NFTs will get locked

if (Protocol.canUseWithdrawAuto(header)) {
// 2024-03-19: disabled autoWithdraw after audit report
// _consumeMessageAutoWithdraw(_starklaneL2Address, request);
revert NotSupportedYetError();
} else {
_consumeMessageStarknet(_starknetCoreAddress, _starklaneL2Address, request);
}

https://github.com/ArkProjectNFTs/bridge/blob/main/apps/blockchain/starknet/src/bridge.cairo#L242

Impact

NFTs will get locked

Tools Used

Manual review

Recommendations

Revert if use_withdraw_auto is true in deposit function in L2 bridge

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-auto_withdrawn-L2-NFT-stuck

Impact: High, token will be stuck in L2 bridge. Likelyhood: Very low, option is available in L2 but has been disabled since March on L1, would be almost a user error.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.