ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Unvalidated L1 Address Mapping in Bridge Deposit Function on Starknet Side Risks Token Lock-up

0xshoonya

Summary

The deposit_tokens function in the bridge.cairo contract lacks a crucial validation check for the existence of a valid L1 address mapping when processing L2 to L1 token transfers. This oversight can lead to transactions with invalid L1 collection addresses, potentially causing tokens to become locked on the Starknet L2 network.

Vulnerability Details

The deposit_tokens function bridge.cairo processes L2 to L1 transactions using the provided L2 collection address. However, it does not verify whether a valid L1 address mapping exists:

fn deposit_tokens(

ref self: ContractState,

salt: felt252,

collection_l2: ContractAddress,

owner_l1: EthAddress,

token_ids: Span<u256>,

use_withdraw_auto: bool,

use_deposit_burn_auto: bool,

) {

ensure_is_enabled(@self);

// ...

let collection_l1 = self.l2_to_l1_addresses.read(collection_l2);//@audit

let req = Request {

header: compute_request_header_v1(ctype, use_deposit_burn_auto, use_withdraw_auto),

hash: compute_request_hash(salt, collection_l2, owner_l1, token_ids),

collection_l1,

collection_l2,

owner_l1,

owner_l2: from,

name,

symbol,

base_uri,

ids: token_ids,

values: array![].span(),

uris,

new_owners: array![].span(),

};

// ...

}

The function retrieves the L1 address mapped to the provided L2 address using the l2_to_l1_addresses mapping and proceeds directly to add it to the request struct for processing on L1.

If this mapping does not exist or the user calls deposit_tokens prior to setting up of l2_to_l1_addresses mapping by the owner, the collection_l1 address will default to a zero address (0x0) or an invalid address.

In the absence of validation, the invalid collection_l1 address may lead to failed transactions on the Ethereum side, causing tokens to remain locked on L2, as they cannot be correctly bridged to L1.

Impact

Locked tokens on Starknet L2.

Tools Used

VSCode

Recommendations

Introduce a validation check in the deposit_tokens() function to ensure that a valid mapping exists for the provided collection_l2 address before proceeding with any operations.

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.