ArkProject: NFT Bridge

Summary

The Cairo contract allows the use_withdraw_auto parameter to be set without restriction during token deposits, potentially leading to withdrawal failures on L1. This risk arises because the Solidity contract will revert the transaction if the use_withdraw_auto flag is set to true.

Vulnerability Details

The withdrawTokens function in the Solidity contract checks the use_withdraw_auto flag within the request header. If this flag is set to true, the function will revert, causing the withdrawal to fail. However, in the Cairo contract, the deposit_tokens function accepts a use_withdraw_auto parameter without enforcing it to be false. This lack of validation can lead to issues where, if use_withdraw_auto is mistakenly set to true, subsequent withdrawal attempts on L1 will fail, potentially causing assets to become inaccessible.

Locations

• https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/starknet/src/bridge.cairo#L277

• https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L169

Impact

If the use_withdraw_auto parameter is set to true in the Cairo contract, it will cause withdrawal attempts on L1 to fail, potentially resulting in assets being locked or lost. This issue has a medium probability and impact, as it directly affects the usability of the withdrawal process.

Tools Used

• Manual code review

Recommendations

• Enforce use_withdraw_auto as false, ensure that the use_withdraw_auto parameter in the Cairo contract is always set to false when initiating a token deposit

• If this functionality is assume to support in the future, clearly document that the use_withdraw_auto feature is not supported yet. Update any relevant documentation to inform the users to pass false for use_withdraw_auto