ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Unintended Whitelisting of Collections in `withdrawTokens` Function Without Global Whitelist Check

0xshoonya

Summary

The withdrawTokens function in the L1 bridge contract includes a call to the _whiteListCollection function, which automatically whitelists a newly deployed ERC721 collection if it does not already exist. This process occurs without first checking if the whitelist is globally enabled, potentially leading to unintended or unauthorized collections being added to the whitelist.

Vulnerability Details

The vulnerability arises from the following code in the withdrawTokens function:

function withdrawTokens(
uint256[] calldata request
) external payable returns (address)
{
...snip...
if (collectionL1 == address(0x0)) {
if (ctype == CollectionType.ERC721) {
collectionL1 = _deployERC721Bridgeable(
req.name,
req.symbol,
req.collectionL2,
req.hash
);
// update whitelist if needed
_whiteListCollection(collectionL1, true);
} else {
revert NotSupportedYetError();
}
}
...snip...
}

The _whiteListCollection function is called to automatically add the newly deployed collection to the whitelist. However, the code does not verify whether the whitelist is globally enabled before making this call.

function isWhiteListEnabled() external view returns (bool) {
return _whiteListEnabled;
}

Have a look at the _whiteListCollection function:

function _whiteListCollection(address collection, bool enable) internal {
if (enable && !_whiteList[collection]) {
bool toAdd = true;
uint256 i = 0;
while(i < _collections.length) {
if (collection == _collections[i]) {
toAdd = false;
break;
}
i++;
}
if (toAdd) {
_collections.push(collection);
}
}
_whiteList[collection] = enable;
}

This is problematic because:

In the withdrawTokens Function: If the whitelist is globally disabled, the automatic whitelisting of a collection should not occur. By failing to check the global whitelist status, the function risks adding collections to the whitelist without the owner's explicit intention, potentially leading to security vulnerabilities.

In the whiteList Function: Similarly, the whiteList function does not check if the whitelist is enabled before updating the whitelist status for a given collection. This lack of verification could result in inconsistent whitelist states, where collections are added or removed from the whitelist without regard for the global whitelist policy.

function whiteList(address collection, bool enable) external onlyOwner {
_whiteListCollection(collection, enable);
emit CollectionWhiteListUpdated(collection, enable);
}

Impact

Collections could be whitelisted automatically when the whitelist is globally disabled, leading to unauthorized collections being permitted when the whitelist is later enabled.

Tools Used

Manual Review

Recommendations

To mitigate this issue, the contract should include a check to verify whether the global whitelist is enabled before adding or removing collections from the whitelist. The code should be updated as follows:

In the withdrawTokens Function:

- _whiteListCollection(collectionL1, true);
+ if (_whiteListEnabled) {
+ _whiteListCollection(collectionL1, true);
}

In the whiteList Function:

function whiteList(address collection, bool enable) external onlyOwner {
+ require(_whiteListEnabled, "Whitelist is not globally enabled");
_whiteListCollection(collection, enable);
emit CollectionWhiteListUpdated(collection, enable);
}
Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!