ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Unnecessary Access Control on `cancelRequest`

0xethsol

Summary

The cancelRequest function does not have access control, meaning that anyone can cancel requests.

Vulnerability Details

Without proper access control, any user can call cancelRequest, which may lead to unauthorized cancellation of requests and disruption of normal bridge operations.

Impact

Unauthorized cancellation of requests could interfere with the intended functionality of the bridge, potentially causing service disruptions or misuse.

Tools Used

Manual Code Review

Recommendations

Restrict access to the cancelRequestfunction to authorized entities only, such as the contract owner:

function cancelRequest(uint256[] memory payload, uint256 nonce) external onlyOwner {
IStarknetMessaging(_starknetCoreAddress).cancelL1ToL2Message(
snaddress.unwrap(_starklaneL2Address),
felt252.unwrap(_starklaneL2Selector),
payload,
nonce
);
Request memory req = Protocol.requestDeserialize(payload, 0);
_cancelRequest(req);
emit CancelRequestCompleted(req.hash, block.timestamp);
}
Updates

Lead Judging Commences

n0kto Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

invalid-cancel-callable-by-anyone

The process to cancel a message is detailed here: https://docs.starknet.io/architecture-and-concepts/network-architecture/messaging-mechanism/#l2-l1_message_cancellation Since `startRequestCancellation` has the `onlyOwner`, only the owner can begin that process.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.