ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

There is no limit set for the Starknet payload bridging that can lead to losing all bridged NFTs

draiakoo

Summary

There is no limit set for the Starknet payload bridging that can lead to losing all bridged NFTs

Vulnerability Details

In the Ethereum bridge, we can see that there is a limit for the payload to send to Starknet. This basically sets a limit for the amount of tokenIDs to attach to the message.

uint256 constant MAX_PAYLOAD_LENGTH = 300;
function depositTokens(
uint256 salt,
address collectionL1,
snaddress ownerL2,
uint256[] calldata ids,
bool useAutoBurn
)
external
payable
{
...
req.tokenIds = ids;
uint256[] memory payload = Protocol.requestSerialize(req);
if (payload.length >= MAX_PAYLOAD_LENGTH) {
revert TooManyTokensError();
}
IStarknetMessaging(_starknetCoreAddress).sendMessageToL2{value: msg.value}(
snaddress.unwrap(_starklaneL2Address),
felt252.unwrap(_starklaneL2Selector),
payload
);
emit DepositRequestInitiated(req.hash, block.timestamp, payload);
}

However, for the Starknet side, there is no limit of how many NFTs we can bridge and also consulting to Starknet developers told me that there is currently no limit of payload to message between Starknet -> Ethereum. That means that if a user bridges too much NFTs the message will be sent, his Starknet NFTs will be locked in the bridge and when the user will be trying to withdraw the NFTs in Ethereum, the transaction can revert due to the huge amount of NFTs sent. If this state is reached, the user will have essentially lost all his NFTs on Starknet.

Impact

Medium

Tools Used

Manual review

Recommendations

Add a payload limit to the Starknet bridge just as how Ethereum does.

Updates

Lead Judging Commences

n0kto Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!