A user's NFT can be permanently stuck and unredeemable
Summary
In bridge::deposit_tokens(), there is a bool parameter use_withdraw_auto which is later included in the request header.
The problem is that on ethereum mainnet, when trying to withdraw the bridged NFT, the withdrawal will revert if the bool parameter in the request header was set to true.
Vulnerability Details
The natspec of bridge::deposit_tokens() states the following:
Users on starknet are encouraged to set use_withdraw_auto=true when calling deposit_tokens as it claims that the tokens will be automatically withdrawn on the L1.
However this is actually not true. The NFT will not be automatically withdrawn. Instead, any calls to Bridge.withdrawTokens() will revert due to the following check:
Impact
Since the NFT cannot be withdrawn on L1, and has already been deposited into the bridge on the L2, the NFT is permanently stuck in the L2 bridge. There is currently no way to recover the NFT from the L2 bridge.
Tools Used
Manual Review
Recommendations
Consider forcing the use_withdraw_auto parameter to be false, since it is not supported in the L1 bridge.
Lead Judging Commences
finding-auto_withdrawn-L2-NFT-stuck
Impact: High, token will be stuck in L2 bridge. Likelyhood: Very low, option is available in L2 but has been disabled since March on L1, would be almost a user error.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.