ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Use safe functions instead of mint, transfer_from for ERC721

m4k2xmk

Summary

There are certain smart contracts that do not support ERC721, using transferFrom() , mint() may result in the NFT being sent to such contracts. As per the documentation of EIP-721:

A wallet/broker/auction application MUST implement the wallet interface if it will accept safe transfers.

On the cairo side, the bridge uses unsafe method : transfer_from and _mint for ERC721 tokens during the withdrawal process, which could lead to permanent loss if the recipient doesn't support ERC721 tokens.

Vulnerability Details

In the withdraw_auto_from_l1 function of the bridge contract in cairo, the following code is used to transfer NFTs:

Github permalink

if is_escrowed {
IERC721Dispatcher { contract_address: collection_l2 }
.transfer_from(from, to, token_id);
} else {
if (req.uris.len() != 0) {
let token_uri = req.uris[i];
IERC721BridgeableDispatcher { contract_address: collection_l2 }
.mint_from_bridge_uri(to, token_id, token_uri.clone());
} else {
IERC721BridgeableDispatcher { contract_address: collection_l2 }
.mint_from_bridge(to, token_id);
}
}

This uses the standard transfer_from method instead of the safer safe_transfer_from method recommended when dealing with ERC721 tokens.

Impact

If the recipient (to address) is a contract that doesn't implement the ERC721Receiver interface, the NFT could be permanently lost.

Tools Used

Manual review

Recommendations

Implement and use a safe_transfer_from method for ERC721 transfers.

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Appeal created

m4k2xmk Submitter
about 1 year ago
n0kto Lead Judge
about 1 year ago
n0kto Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.