ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Incomplete utilization of SRC5

fyamf

Summary

SRC5 is not used properly in erc721_bridgeable as no interfaces are registered in the constructor.

Vulnerability Details

erc721_bridgeable supports standard SRC5 (as EIP165 in Etheruem).

// SRC5

#[abi(embed_v0)]

impl SRC5Impl = SRC5Component::SRC5Impl<ContractState>;

https://github.com/Cyfrin/2024-07-ark-project/blob/main/apps/blockchain/starknet/src/token/erc721_bridgeable.cairo#L29

The issue is that no interfaces are registered during the constructor, or there is no mechanism that admin can register interfaces. In other words, the usage of SRC5 is not complete.

For example, looking at the deployed Everai on Starknet, shows that by calling the function supports_interface with parameter ISRC5_ID, returns true, meaning it is supporting SRC5. But, since during constructor, no other interfaces are registered, this function returns false for any other selectors.
https://starkscan.co/contract/0x02acee8c430f62333cf0e0e7a94b2347b5513b4c25f699461dd8d7b23c072478#read-write-contract-sub-read

pub const ISRC5_ID: felt252 = 0x3f918d17e5ee77373b56385708f855659a07f75997f365cf87748628532a055;

https://github.com/OpenZeppelin/cairo-contracts/blob/main/packages/introspection/src/interface.cairo#L4C1-L4C97

It should be implemented as suggested by OpenZeppelin:
https://docs.openzeppelin.com/contracts-cairo/0.15.0/introspection

Impact

Wrong usage of SRC5.

Tools Used

Recommendations

erc721_bridgeable should be modified as:

// SRC5

#[abi(embed_v0)]

impl SRC5Impl = SRC5Component::SRC5Impl<ContractState>;

+ impl SRC5InternalImpl = SRC5Component::InternalImpl<ContractState>;

//....

#[constructor]

fn constructor(

ref self: ContractState,

name: ByteArray,

symbol: ByteArray,

base_uri: ByteArray,

bridge: ContractAddress,

collection_owner: ContractAddress,

) {

//...

+ self.src5.register_interface(selector!("some_interface"));

}

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.