ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Cancelling message will be close to impossible

takarez

Summary

see Vulnerability Details

Vulnerability Details

When messages are sent to the L2 (startkent) , the expectation is for the messages to be consumed, but if that didn't happen, the owner (admin) have the ability to start message cancelation by calling the startRequestCancellation function

function startRequestCancellation(
uint256[] memory payload,
uint256 nonce
) external onlyOwner {
IStarknetMessaging(_starknetCoreAddress).startL1ToL2MessageCancellation(
snaddress.unwrap(_starklaneL2Address),
felt252.unwrap(_starklaneL2Selector),
payload,
nonce
);
Request memory req = Protocol.requestDeserialize(payload, 0);
emit CancelRequestStarted(req.hash, block.timestamp);
}

providing the nonce used during the message sending and the payload.
the issue here now is that, the nonce and the payload were never returned from this call

IStarknetMessaging(_starknetCoreAddress).sendMessageToL2{value: msg.value}(
snaddress.unwrap(_starklaneL2Address),
felt252.unwrap(_starklaneL2Selector),
payload
);

the sendMessageToL2 function returns the payload and the nonce but was never returned as a function call nor emitted making it hard to know

the payload can be known since its the serialized version of the request, but not the nocnce.

Impact

Cancelling the message (request) would be close to impossible.

Tools Used

manual review

Recommendations

return the nonce together with the payload, or emit it here:

DepositRequestInitiated()
Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.