ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Infinite loop breaks whitelist removal funtionality on L2

gajiknownnothing

Summary

The loop in bridge#_white_list_collection function does not update pre to next, results in an infinite loop when attempting to remove a collection from the whitelist.

Vulnerability Details

The function iterates through self.white_listed_list to locate the target collection. However, after each iteration, prev is not updated to next. This causes the loop to continuously re-evaluate the same element, preventing the removal operation from completing.

For example, given the white_listed_list structured as collection01 -> collection02 -> collection03 -> collection04, removes collection03:

Iteration 1: prev => collection01, next => collection02. Condition next == collection is false, loop continues.
Iteration 2: prev => collection01, next => collection02. Condition next == collection is false, loop continues.
This pattern repeats, causing an infinite loop and preventing the function from progressing past the first element.

File: bridge.cairo

523: // removed element from linked list

524: loop {

525: let (active, next) = self.white_listed_list.read(prev);

526: if next.is_zero() {

527: // end of list

528: break;

529: }

530: if !active {

531: break;

532: }

533: if next == collection {

534: let (_, target) = self.white_listed_list.read(collection);

535: self.white_listed_list.write(prev, (active, target));

536: break;

537:>> }// <-- missing `prev = next`

538: };

PoC

Change below line for starknet/src/tests/bridge_t.cairo

@@ -711,7 +711,7 @@ mod tests {

assert!(bridge.is_white_listed(collection3), "Collection1 should be whitelisted");

start_prank(CheatTarget::One(bridge_address), BRIDGE_ADMIN);

- bridge.white_list_collection(collection2, false);

+ bridge.white_list_collection(collection3, false);

Run snforge test:

[FAIL] starklane::tests::bridge_t::tests::whitelist_collection_is_updated_when_collection_is_removed

Failure data:

Got an exception while executing a hint: Hint Error: Error in the called contract (0x03b24bdfb3983f3361a7f81e871041cc45f3e1c21bfe3f1cbcaf7bec224627d5):

Error at pc=0:17590:

Could not reach the end of the program. RunResources has no remaining steps.

Impact

Besides the first and second collection, unable to remove other collections from whitelist.

Tools Used

vscode, starknet-foundry

Recommendations

Add prev = next at the end of loop.

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-L2-unwhitelist-from-third collection-impossible

Likelyhood: High, owner can only unwhitelist the 2 first collections. Impact: Medium/High, owner has to empty the list to remove any collection, and replace all the new ones.

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.