ArkProject: NFT Bridge

Summary

The Solidity contract lacks a function for handling non-consumable message from L2 and Cairo contract currently lacks a mechanism to cancel or revert transactions if the corresponding message cannot be consumed on L1. This creates a risk where assets, such as NFTs, could become permanently stuck in the Cairo contract without any means of recovery, leading to significant user impact.

Vulnerability Details

In the current implementation, if a user sets the use_withdraw_auto parameter to true during a deposit operation on L2, and the withdrawal process on L1 will fails due to the NotSupportedYetError and there is no mechanism in the Cairo contract to cancel the request or revert the transaction and Solidity contract to consume the non-consumable request. This omission leaves the asset trapped on L2 without a way to recover it, creating a significant risk of asset loss.

Locations:

• https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L169

• https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/starknet/src/bridge.cairo#L248C13-L248C30

Impact

Without a mechanism to handle non-consumable functions on L1 and function for handling cancellation on L2, assets like NFTs could be permanently stuck in the Cairo contract without minting new NFT on L1 and unable for withdraw. This could lead to a significant loss of user assets and negatively impact the overall user experience.

Tools Used

• Manual code review

Recommendations

• Have an only owner function on L1 to cancel those request by consuming the message and sending message back to L2 to “revert_transaction” as l1_handler on Cairo contract, this l1_handler reverts the transaction on l2, similar to the cancel request on L1, it withdraw the NFT back to request owner