ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Lack of L(1-2) Collection Ownership Transfer Mechanism for L(2-1) Collection Owners

m4k2xmk

Overview

This bug applies on both ways L1 -> L2 and L2 -> L1. But for simplicity this report will be only on the L1 -> L2 way.

The current architecture of the Ark Project bridge fails to provide L1 collection owners with ownership rights over automatically deployed L2 collections. This oversight leads to a centralization of control and limits the ability of collection owners to manage their assets across both chains effectively.

Vulnerability Details

Description

  1. Initial Bridge Operation:

    • When an NFT from a collection is bridged for the first time, the system automatically deploys a new ERC721 contract on L2.

  2. Ownership Assignment:

    • The newly deployed L2 contract's ownership is not transferred to the original L1 collection owner.

  3. Control Limitations:

    • L1 collection owners have no direct control or management capabilities over their corresponding L2 collections.

Impact

  1. Limited Management: L1 collection owners cannot perform crucial management tasks on L2, such as:

    • Upgrading contract functionality

    • Modifying metadata

    • Implementing royalty mechanisms

  2. Centralization Risks: Control over L2 collections remains centralized with the bridge operators.

  3. Fragmented Ecosystem: Discrepancies between L1 and L2 collection management may lead to inconsistent user experiences.

  4. Reduced Adoption: Collection owners may be hesitant to use the bridge due to loss of control over their L2 assets.

Reproduction Scenario

  1. An L1 collection owner bridges an NFT from their collection for the first time.

  2. Observe that a new L2 collection is deployed automatically.

  3. Attempt to perform owner-level operations on the L2 collection as the L1 owner.

  4. Note that these operations fail due to lack of ownership rights.

Mitigation

Recommended Solutions

  1. Ownership Claim Mechanism:
    Implement a function in the bridge contract allowing L1 collection owners to claim ownership of their L2 collections:

  2. Automatic Ownership Transfer:
    Modify the L2 collection deployment process to automatically transfer ownership to the L1 collection owner:

  3. Governance Proposal:
    Implement a governance mechanism allowing L1 collection owners to propose and vote on L2 collection management decisions.

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Appeal created

m4k2xmk Submitter
10 months ago
n0kto Lead Judge
9 months ago
n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.