Delay and risk for users in Request Cancellation Process
Overview
The Ark Project bridge contract (Bridge.sol) implements a two-step cancellation process for cross-chain requests. However, the initiation of this process is restricted to the contract owner, introducing a single point of failure that could potentially lead to user funds being locked indefinitely.
Vulnerability Details
Location
Function: startRequestCancellation
File: Bridge.sol
Description
The startRequestCancellation function is currently protected by the onlyOwner modifier:
This creates a dependency on the contract owner for initiating cancellations.
Impact
Delayed Cancellations: Users may experience significant delays in cancelling failed or stuck transactions if the owner is unresponsive.
User Trust: The reliance on a single entity for crucial operations may negatively impact user confidence in the bridge.
Mitigation
Recommended Fix
Remove the onlyOwner modifier from the startRequestCancellation function:
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.