Lack of interface detection on the L2 side while depositing tokens
Summary
The L1 side of the bridge contract correctly uses ERC165 to verify token standards (e.g., ERC721) during token deposits. However, this crucial interface detection check is missing on the L2 side, which assumes tokens conform to the ERC721 standard without verification.
Vulnerability Details
The vulnerability arises due to a lack of interface detection on the L2 side, which contrasts with the L1 implementation's proper handling of token standard verification. On the L1 side, the depositTokens function uses the detectInterface method to determine if a token contract supports the ERC721 interface via ERC165:
The detectInterface function checks the token standard using the ERC165 interface:
However, on the L2 side, this verification step is entirely missing. The deposit_tokens function in the L2 contract does not perform any interface detection to verify if the token adheres to ERC721 standards. Instead, it directly assumes the token is ERC721:
This lack of verification on L2 introduces a security gap because the contract does not confirm the token's compatibility with the expected ERC721 standard using Starknet's SRC-5 (similar to Ethereum’s ERC165).
According to Starknet's SNIP-5 standard, checking interface support is crucial for adapting interactions based on the interface version and ensuring the correct handling of tokens. The absence of such checks on L2 means that non-ERC721-compliant tokens could be mistakenly treated as ERC721, potentially resulting in unexpected behaviors.
Such, interface detection is also missing in token_uri_from_contract_call in collection_manager.cairo
Impact
The absence of interface detection on L2 leads to inconsistent validation processes between L1 and L2, undermining the overall security and integrity of the bridge.
Tools Used
Manual review, Starknet Docs
Recommendations
To ensure consistency and security, implement interface detection on the L2 side using Starknet’s SRC-5 standard (the equivalent of Ethereum’s ERC165). A similar function to L1's detectInterface should be introduced, which checks if a token contract supports the ERC721 interface. This can be implemented using Openzeppelin's Cairo Library
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.