Hardcoded maximum payload length will cause issues in the `depositTokens` function if the Starknet protocol changes.
Summary
The MAX_PAYLOAD_LENGTH variable is hardcoded, which might cause issues if the Starknet protocol changes.
Vulnerability Details
In the Starklane contract, the MAX_PAYLOAD_LENGTH constant is defined as:
Bridge.sol#L25
This constant is used in the depositTokens function to check if the serialized payload exceeds the maximum allowed length:
According to the communication with Ark team, there is a limit in Starknet L1->L2 messaging, and this value is not officially documented in the Starknet Docs. It was obtained directly from the Starkware team.
Hardcoding this value may lead to issues if the Starknet protocol changes in the future. If Starknet modifies the maximum payload length in a future update, the Starklane bridge contract will be out of sync with the actual protocol limits because the value is hardcoded and there is no function available to change the limits.
Impact
If Starknet were to decrease the payload limit in the future for any reason , the contract would allow payloads larger than the new Starknet limit. This mismatch could potentially lead to unexpected behavior or severe security vulnerabilities when interacting with the updated Starknet system.
Tools Used
Manual Review
Recommendations
Use a mutable state variable: Replace the constant with a state variable that can be updated by the admin if the protocol changes.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.