User can bridge 0 tokens from L2 -> L1
Summary
User can bridge 0 tokens from L2 -> L1 while the other way around it's not possible.
Vulnerability Details
When bridging tokens from L1 -> L2, we have this check in the _depositIntoEscrow function:
which makes sure that the user can't bridge 0 assets.
However, this check is missing in the escrow_deposit_tokens function on the L2 contract which allows users to bridge 0 tokens from L2 to L1.
This doesn't make sense and while I haven't found a meaningful impact, this opens up a user flow that is not needed and could lead to problems, and it seems like the developers wanted to disable such behavior by implementing the check on L1 but forgot to do it on L2.
Impact
Users can bridge 0 tokens which doesn't make sense and should be disabled like in the L1 contract.
Tools Used
Manual review
Recommendations
Add a check that asserts the user is sending at least 1 token in the escrow_deposit_tokens function.
Lead Judging Commences
invalid-empty-tokenIds-starknet-side
No real impact. Attacker will have to pay the deployment of the new contract even with 0 token, and it won’t have any interest do to that since he won’t take the control of the contract.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.