ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing zero address check in depositTokens()

rilwanwild

Summary

In bridge.sol, the depostTokens() function does not implement a zero address check for the ownerL2 field. If a user provides a zero address for this field, this may result in the user's NFT being burned as it is sent to the zero address on starknet.

Vulnerability details

In bridge.sol, there is a check to ensure that the ownerL2 field provided is a valid staknet address. However, this check would still be passed even if a zero address is provided.

function depositTokens(
// Parameters
) external payable {
if (!Cairo.isFelt252(snaddress.unwrap(ownerL2))) {
revert CairoWrapError();
// Other code
}
function isFelt252(uint256 val) internal pure returns (bool) {
return val < SN_MODULUS;
}

Impact

This could result in users unintentionally burning their NFT during the bridging process, if they pass in a zero address as the ownerL2 field. Thier NFT would be lost forever and irrecoverable.

Recommendation

Implement a check to ensure that zero address is not provided for the ownerL2 field.

function depositTokens(
// Parameters
) external payable {
if (ownerL2 == 0x0) {
revert ZeroAddressError();
// Other code
}

Tools Used

Manual review

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.