Irretrievable NFT loss due to bridged token misplacement or compromise
Summary
If a user bridges their NFT and loses the corresponding token on either L1 or L2, the original NFT can become permanently stuck in escrow.
Impact
User tokens can be irretrievably stuck in escrow, leading to permanent loss of access to the NFT. The likelihood of this kinda situation is low but the impact is very high, so for that reason the severity is marked medium.
Proof of Concept
If an NFT like Bored Ape #7 is bridged from L1 to L2, the original NFT is placed in escrow, and a corresponding token #7 is issued on L2.
If token #7 is lost on L2 due to hacking, burning, accidental listing on a marketplace (e.g., OpenSea), or being escrowed on another compromised platform, the original NFT in L1 escrow cannot be retrieved.
A similar scenario applies when bridging from L2 to L1. Losing the token on either side results in the original escrowed NFT being stuck forever.
Recommendation
I think there should be an emergency recovery mechanism to allow legitimate users to reclaim their tokens from escrow, ensuring that NFTs are not permanently lost due to issues on either side of the bridge.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.