ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

The contract `bridge.cairo` does not prohibit `withdraw_auto`, which means that users will not be able to withdraw in L1.

zraxx

Summary

The contract bridge.cairo does not prohibit withdraw_auto, which means that users will not be able to withdraw in L1.

Vulnerability Details

In the L1, the contract Bridge.sol disallows withdraw_auto in the function withdrawTokens.

https://github.com/Cyfrin/2024-07-ark-project/blob/main/apps/blockchain/ethereum/src/Bridge.sol#L169-L172

if (Protocol.canUseWithdrawAuto(header)) {
// 2024-03-19: disabled autoWithdraw after audit report
// _consumeMessageAutoWithdraw(_starklaneL2Address, request);
revert NotSupportedYetError();
} else {

However, in the L2, the contract bridge.cairo allows withdraw_auto in the function deposit_tokens.

https://github.com/Cyfrin/2024-07-ark-project/blob/main/apps/blockchain/starknet/src/bridge.cairo#L276-L278

let req = Request {
header: compute_request_header_v1(ctype, use_deposit_burn_auto, use_withdraw_auto),

That is, tokens sent by users with withdraw_auto mode on the L2 layer will not be available for collection on the L1 layer.

Impact

User may not be able to withdraw in L1.

Tools Used

Vscode

Recommendations

Disallow withdraw_auto mode on the L2 layer.

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-auto_withdrawn-L2-NFT-stuck

Impact: High, token will be stuck in L2 bridge. Likelyhood: Very low, option is available in L2 but has been disabled since March on L1, would be almost a user error.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.