ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Incorrect token transfer logic, `new_owners` not considered

0xtheblackpanther

Github

https://github.com/ArkProjectNFTs/bridge/blob/1bb58731d8e4c37a71d3611c8ea6163c9b019193/apps/blockchain/starknet/src/bridge.cairo#L128-L181

Summary

In the FSM for Starklane in Figma, it is specified that if new_owners is empty, the token should be transferred to owner_L2. Otherwise, it should be transferred to the corresponding index in new_owners. However, the current implementation does not check for new_owners and always transfers the token to owner_L2, which is not correct.

Impact

Tokens will always be transferred to owner_L2, and new_owners will never receive tokens even if new_owners is not empty.

Recommendation

Add logic to handle the new_owners field correctly.

e.g add below lines in withdraw_auto_from_l1:

let to = if req.new_owners.len() == 0 {

req.owner_l2

} else {

req.new_owners[i]

};

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.