Lack of access control on `cancelRequest` function allows anyone to cancel a message from L1 to L2
Summary
The L1 bridge contract's cancelRequest function allows any caller to cancel a message from L1 to L2 for any user, which is against Starknet's intended security model
Vulnerability Details
According to the Starknet documentation, only the original sender of an L1 to L2 message can initiate and complete the cancellation of that message.
However, in the current implementation of the cancelRequest function, there is no restriction or check to ensure that the caller is the original sender of the message.
Specifically, the function calls IStarknetMessaging(_starknetCoreAddress).cancelL1ToL2Message(...) without verifying the caller's identity against the original sender of the message.
This directly contradicts the Starknet's security requirement that only the original sender of the message can call the cancelL1ToL2Message function.
Impact
Any external actor can call cancelRequest regardless of whether the caller is the original sender of the message. This is in coflict with Starknet's security model, which mandates that only the original sender of the message has the authority to cancel it.
Tools Used
Manual Review
Recommendations
Implement an authorization check within the cancelRequest function to ensure that only the original sender of the L1 to L2 message can initiate and complete the cancellation process.
Lead Judging Commences
invalid-cancel-callable-by-anyone
The process to cancel a message is detailed here: https://docs.starknet.io/architecture-and-concepts/network-architecture/messaging-mechanism/#l2-l1_message_cancellation Since `startRequestCancellation` has the `onlyOwner`, only the owner can begin that process.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.