NFTBridge
60,000 USDC
View results
Submission Details
Severity: low
Invalid

User can bridge 0 tokens from L2 -> L1

Summary

User can bridge 0 tokens from L2 -> L1 while the other way around it's not possible.

Vulnerability Details

When bridging tokens from L1 -> L2, we have this check in the _depositIntoEscrow function:

assert(ids.length > 0);

which makes sure that the user can't bridge 0 assets.

However, this check is missing in the escrow_deposit_tokens function on the L2 contract which allows users to bridge 0 tokens from L2 to L1.

This doesn't make sense and while I haven't found a meaningful impact, this opens up a user flow that is not needed and could lead to problems, and it seems like the developers wanted to disable such behavior by implementing the check on L1 but forgot to do it on L2.

Impact

Users can bridge 0 tokens which doesn't make sense and should be disabled like in the L1 contract.

Tools Used

Manual review

Recommendations

Add a check that asserts the user is sending at least 1 token in the escrow_deposit_tokens function.

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

invalid-empty-tokenIds-starknet-side

No real impact. Attacker will have to pay the deployment of the new contract even with 0 token, and it won’t have any interest do to that since he won’t take the control of the contract.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.