Hash that comes with the request object on bridge.cairo
contract is not recomputed in the withdraw_auto_from_l1
function thus not ensuring data integrity.
Check summary. This feature is yet to be written but it is necessary to point it out since the code might end up in production as is.
Request object CAN be altered when coming to starknet part of the bridge. Data integrity is not ensured.
Manual review
Recompute hash with the data that comes in the request object. Make sure it matches the one emitted in Ethereum event on Bridge.sol
contract.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.