Missing zero address check in deposit_tokens() in bridge.cairo
Summary
In bridge.cairo, the deposit_tokens() function does not implement a zero address check for the owner_l1 field. If a user provides a zero address for this field, this may result in the user's NFT being burned as it is sent to the zero address on Ethereum.
Vulnerability details
In bridge.cairo, there is a check to ensure that the owner_l1 field provided is a valid Ethereum address. However, this check would still be passed even if a zero address is provided.
It would be possible to pass a zero address (0x0) as the owner_l1 parameter. The EthAddress struct doesn't have any built-in validation to prevent this.
Impact
This could result in users unintentionally burning their NFT during the bridging process, if they pass in a zero address as the owner_l1 field. Thier NFT would be lost forever and irrecoverable.
Recommendation
Implement a check to ensure that zero address is not provided for the owner_l1 field.
Tools Used
Manual review
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.