ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Dangerous array `_collections`

q3x

Summary

The _collections array in Bridge.sol is only appended to and never pruned, which can lead to a denial of service (DoS) due to gas limitations when interacting with this array.

Vulnerability Details

In Bridge.sol, elements are ONLY ADDED into the array _collections, and these are not removed in any other function, when they actually should be. This can lead to DOS. The following function will reach a limit of gas in a block when _collections.length ≈ 12_000

function _whiteListCollection(address collection, bool enable) internal {

if (enable && !_whiteList[collection]) {

while(i < _collections.length) {

}

if (toAdd) {

_collections.push(collection);

}

_whiteList[collection] = enable;

}

An attack on this function would be as follows :

User deploys multiple contracts on l2 and bridge an NFT to l1. ( whitelist flag is by default set to false )
User withdraws for each NFT contract on L1.
The function withdrawTokens will always call whitelistCollection here, even when the whitelist flag is set to false, and will set the mapping to true.
The user can increase the size of the _collections array by deploying more contracts on L2 and withdrawing them on L1.
when the _collections array reaches a certain size, the function _whiteListCollection will reach the gas limit and the function will be unusable for new NFTs deployed on L2.
Even though the owner is able to set the whitelist flag to false, or set an address to non whitelisted, the function _whiteListCollection will still be unusable because the length of the _collections array cant be reduced.

Location:

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L344
https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L314

Impact

The probability of this issue occurring is medium, but the impact is high. The function _whiteListCollection becomes unusable when the array size exceeds a certain limit, causing the contract to be unable to handle new whitelisting operations causing denial of service

Tools Used

Manual code review

Recommendations

it seems the array _collections is only used for reading purposes on getWhiteListedCollections() , rather than using an array, consider just using the already existing mapping and use a counter to keep track of the number of collections. When reading just iterate over the mapping and return the keys with value true.

Updates

Lead Judging Commences

n0kto Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-collections-always-withelisted-on-both-chain-withdraw-impossible-collections-array-will-be-OOG

Likelyhood: High, once the whitelist option is disabled, collections will grow. Impact: High, withdraw won’t be possible because of Out-Of-Gas.

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!