ArkProject: NFT Bridge

Summary

The Cairo contract lacks the emission of an event when the L1-L2 collection mapping is updated, which is present in the corresponding Solidity contract.

Vulnerability Details

There is a discrepancy between the Cairo and Solidity contracts regarding the emission of events during the update of L1-L2 collection mappings. Specifically, the Cairo contract does not emit an event when the set_l1_l2_collection_mapping function is called, unlike its Solidity counterpart, which emits the L1L2CollectionMappingUpdated event. The absence of this event means that off-chain systems may not be aware of mapping updates on the L2 side, potentially causing gaps in tracking and inconsistencies between L1 and L2 layers.

Locations:

• Cairo Bridge - https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/starknet/src/bridge.cairo#L360C9-L364C10

• Solidity Bridge - https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L374

Impact

The absence of event emission in the Cairo contract can lead to off-chain systems being unaware of updates to L1-L2 collection mappings. This can cause difficulties in tracking changes and maintaining synchronization between L1 and L2 layers, potentially leading to inconsistencies and outdated mappings in off-chain applications.

Tools Used

• Manual code review

Recommendations

• Add missing event emission in Cairo contract, introduce an event similar to the L1L2CollectionMappingUpdated event in the Solidity contract. This will ensure that updates to L1-L2 collection mappings are consistently tracked across both layers