Non holders of NFTs on l2 are able to create a NFT counterpart on l1
Summary
A logical flaw exists where non-holders of NFTs on L2 are able to create an NFT counterpart on L1 without actually possessing the NFTs on L2. This issue arises due to the absence of checks on the token_ids length before proceeding with the deposit_tokens function. This vulnerability allows for potential front-running attacks, where NFTs that are not yet set for sale, not initialized, or paused on L2 can have a counterpart created on L1 prematurely.
Vulnerability Details
The function deposit_tokens in bridge.cairo calls the escrow_deposit_tokens() function without checking whether token_ids.len is greater than 0. This lack of validation allows users to create an L1 NFT counterpart without owning any NFTs on L2. This can result in NFTs that are not yet ready for sale, not initialized, or paused on L2 being prematurely represented on L1, leading to possible front-running attacks.
Locations:
https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/starknet/src/bridge.cairo#L402-L423
Impact
The probability of this issue occurring is high, and the impact is medium. The creation of an L1 counterpart NFT without holding the corresponding NFT on L2 can lead to inconsistencies between the layers and potential exploitation by malicious actors.
Tools Used
Manual code review
Recommendations
check if the token_ids.len is greater than 0, revert if not.
Lead Judging Commences
invalid-empty-tokenIds-starknet-side
No real impact. Attacker will have to pay the deployment of the new contract even with 0 token, and it won’t have any interest do to that since he won’t take the control of the contract.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.