ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Any user should be able to start a cancellation

crisscs

Summary

As per the official documentation for L1 → L2 message cancellation, the user that initiated the L1→L2 message calls the startL1ToL2MessageCancellation function in the Starknet Core Contract. However, in the Bridge.sol

the startRequestCancellationfunction has an onlyOwner modifier, preventing the user from starting a cancellation themselves.

This has also been flagged in one of the previous audit reports, also included in the known issues, however it has not been resolved.

Vulnerability Details

As per the official documentation for L1 → L2 message cancellation, the user that initiated the L1→L2 message calls the startL1ToL2MessageCancellation function in the Starknet Core Contract. However, in the Bridge.sol

the startRequestCancellationfunction has an onlyOwner modifier, preventing the user from starting a cancellation themselves.

Reference: https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L223

/**
@notice Start the cancellation of a given request.
@param payload Request to cancel
@param nonce Nonce used for request sending.
*/
function startRequestCancellation(
uint256[] memory payload,
uint256 nonce
) external onlyOwner {
IStarknetMessaging(_starknetCoreAddress).startL1ToL2MessageCancellation(
snaddress.unwrap(_starklaneL2Address),
felt252.unwrap(_starklaneL2Selector),
payload,
nonce
);
Request memory req = Protocol.requestDeserialize(payload, 0);
emit CancelRequestStarted(req.hash, block.timestamp);
}

Furthermore, the existing tests, from Bridge.t.sol pass successfully that expect only an owner to be able to call the function.

[PASS] test_startRequestCancellation_onlyAdmin() (gas: 626510)

This has also been flagged in one of the previous audit reports and included in the known issues.

File: docs/audit/Audit-Cairo_Security_Clan-Updated.pdf

Link: https://github.com/Cyfrin/2024-07-ark-project/blob/main/docs/audit/Audit-Cairo_Security_Clan-Updated.pdf

The [M-04] Access Control issue cancellation has been marked as Fixed, however, it has not been.

Impact

The function is intended to allow users to initiate a cancellation process is, contrary to the Starknet documentation, restricted such that only the owner can trigger it. This discrepancy not only undermines trust by deviating from the expected functionality as outlined in public documentation but also centralizes control, thereby increasing the risks associated with abuse or failure. Restricting this function to administrators limits users' ability to autonomously manage their interactions, potentially leading to user dissatisfaction and reduced platform engagement.

Tools Used

  • Manual Code Review: Analyzing the contract code and previous audits.

Recommendations

  • The onlyOwner modifier of the startRequestCancellation should be removed

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Appeal created

crisscs Submitter
9 months ago
n0kto Lead Judge
9 months ago
n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.