NFTBridge
60,000 USDC
View results
Submission Details
Severity: low
Invalid

Canceling messages is not checking if the Bridge is enabled or not.

Vulnerability Details

L1Bridge have a pausing functionality, where if the Bridge is passed enable variable is set to false.

Bridge.sol#L358-L362

function enableBridge(
bool enable
) external onlyOwner {
_enabled = enable;
}

If the Bridge is not enabled (paused), this means we can't use it. So we are preventing Depositing and Withdrawing from that Bridge, but the problem is that canceling Messages is not checking this.

Bridge.sol#L243-L246

function cancelRequest(
uint256[] memory payload,
uint256 nonce
) external {
// @audit No checking if the Bridge is enabled or not
❌️ IStarknetMessaging(_starknetCoreAddress).cancelL1ToL2Message( ... );
Request memory req = Protocol.requestDeserialize(payload, 0);
_cancelRequest(req);
emit CancelRequestCompleted(req.hash, block.timestamp);
}

When we cancel a message from Bridge, we withdraw the Tokens from Bridge, and if the Bridge is paused this thing should not occur, as the Bridge interactions should be paused, and we should not be able to deposit or withdraw tokens from it.

Impact

The ability to interact with the Bridge and cancel messages even if the Bridge is disabled, in addition to the ability to withdraw the tokens in the canceled message.

Tools Used

Manual Review

Recommendations

Check that the Bridge is enabled when canceling the message.

diff --git a/apps/blockchain/ethereum/src/Bridge.sol b/apps/blockchain/ethereum/src/Bridge.sol
index e62c7ce..f74f3f5 100644
--- a/apps/blockchain/ethereum/src/Bridge.sol
+++ b/apps/blockchain/ethereum/src/Bridge.sol
@@ -244,6 +244,9 @@ contract Starklane is IStarklaneEvent, UUPSOwnableProxied, StarklaneState, Stark
uint256[] memory payload,
uint256 nonce
) external {
+ if (!_enabled) {
+ revert BridgeNotEnabledError();
+ }
IStarknetMessaging(_starknetCoreAddress).cancelL1ToL2Message(
snaddress.unwrap(_starklaneL2Address),
felt252.unwrap(_starklaneL2Selector),
Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

invalid-cancel-when-bridge-disable

Technically, if you cancel a message, the token is not really bridged. If you can withdraw, it means that the token has already been bridged. Those two funtions do not have to be disable when the bridge is. Moreover nothing should prevent users to get back their NFT.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.