The _whiteListEnabled
variable on Ethereum
and white_list_enabled
variable on Starknet
are intended to control whether the whitelist mechanism is activated. If these variables are set to false, the whitelist mechanism is disabled, allowing all tokens to be bridged across chains without any restrictions. Unfortunately, both variables are initialized to false
by default, which means that, upon deployment, all tokens are automatically allowed for cross-chain activities. This default setting could pose a significant security risk.
The variables _whiteListEnabled
on Ethereum
and white_list_enabled
on Starknet
serve as flags to indicate whether the whitelist mechanism is active.
If _whiteListEnabled
or white_list_enabled
is false, the whitelist check is bypassed, and all tokens are treated as if they are whitelisted by default:
The issue arises because both _whiteListEnabled
and white_list_enabled
are initialized to false
by default (they are not explicitly set to true
during initialization or in the constructor). As a result, all tokens are automatically permitted to bridge across chains without any restrictions when the contract is first deployed.
A proof of concept (PoC) demonstrates this issue:
The output log from the test shows that all collections are considered whitelisted by default:
The fact that all tokens are whitelisted by default can lead to unauthorized cross-chain activities immediately after the contract is deployed and initialized. This poses a severe security risk, as it could allow malicious or unintended tokens to be transferred across chains without any restrictions.
Manual, Foundry
To mitigate this issue, it is recommended to initialize the _whiteListEnabled
and white_list_enabled
variables to true
by default.
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.