ArkProject: NFT Bridge

Summary

The Cairo contract does not emit an event when the whitelist feature is enabled or disabled, unlike its Solidity counterpart. This omission results in a lack of traceability and monitoring for the whitelist status on L2, which could lead to synchronization issues between L1 and L2.

Vulnerability Details

In the Solidity contract, when the whitelist is enabled or disabled using the enableWhiteList function, the WhiteListUpdated event is emitted to log this change. This event is important for off-chain systems that monitor and track the status of the whitelist. However, in the Cairo contract, the equivalent enable_white_list function does not emit an event when the whitelist status is changed. This inconsistency in event emission creates a gap in monitoring and traceability of the whitelist status on L2, potentially causing issues in maintaining synchronization between L1 and L2.

Location:

• https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/starknet/src/bridge.cairo#L308

• https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L275

Impact

The lack of event emission in the Cairo contract for whitelist status changes can lead to gaps in off-chain monitoring and synchronization between L1 and L2. While the impact is low, as this mainly affects traceability and monitoring, it still poses a risk to the consistent management of whitelist status across both layers.

Tools Used

• Manual code review

Recommendations

• Add event emission in Cairo contract similar to the WhiteListUpdated event in the Solidity contract. This event should be emitted whenever the whitelist is enabled or disabled, ensuring that both L1 and L2 provide consistent and traceable logs for this critical feature.