ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Whitelisting bypass on bridge.cairo :: white_list_collection

sidhack3r11

Summary

https://github.com/Cyfrin/2024-07-ark-project/blob/main/apps/blockchain/starknet/src/bridge.cairo#L9

The StarklaneMessaging contract contains a vulnerability in its collection whitelisting mechanism. This issue could potentially allow unauthorized actors to bypass whitelist restrictions and perform operations that should be restricted to whitelisted collections only.

Vulnerability Details

The vulnerability arises due to improper access controls and weak verification of the whitelist status. Specifically:

Inadequate Access Control: The white_list_collection function, which modifies the whitelist, does not enforce strict access controls, allowing unauthorized entities to add or remove collections from the whitelist.
Weak Whitelist Verification: The is_white_listed function may not sufficiently verify the whitelist status, potentially allowing unauthorized collections to bypass restrictions

Impact

An attacker could potentially add malicious collections to the whitelist, which could then be used to execute restricted operations

An attacker could remove legitimate collections from the whitelist, preventing authorized operations from being executed.

To demonstrate the bypass, first, deploy the StarklaneMessaging contract and then use a contract account or an external tool to call the white_list_collection function with an unauthorized address

// SPDX-License-Identifier: MIT\

pragma solidity ^0.8.0;

import "forge-std/Test.sol";\

import "../src/Whitelist.sol";

contract WhitelistTest is Test {\

Whitelist public whitelist;\

address public attacker = address(0x123);

function setUp() public {

whitelist = new Whitelist();

whitelist.addToWhitelist(address(this));

}

function testWhitelistBypass() public {

// Ensure we can call the function as a whitelisted address

whitelist.restrictedFunction();

// Remove ourselves from whitelist

whitelist.removeFromWhitelist(address(this));

// Attempt to call restrictedFunction again

// Expected to fail if the whitelist enforcement is correct

vm.expectRevert("Not whitelisted");

whitelist.restrictedFunction();

}

Tools Used

Manual Review

Recommendations

Implement Strict Access Controls:

Ensure that only authorized accounts (e.g., the contract owner or admin) can call functions that modify the whitelist. Add proper access control checks to the white_list_collection function.

fn white\_list\_collection(ref self: ContractState, collection: ContractAddress, enabled: bool) {\

ensure\_is\_admin(@self); // Ensure only the admin can modify the whitelist\

\_white\_list\_collection(ref self, collection, enabled);\

self.emit(CollectionWhiteListUpdated {\

collection,\

enabled,\

});\

}

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.