ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Canceling messages is not checking if the Bridge is enabled or not.

alqaqa

Vulnerability Details

L1Bridge have a pausing functionality, where if the Bridge is passed enable variable is set to false.

Bridge.sol#L358-L362

function enableBridge(

bool enable

) external onlyOwner {

_enabled = enable;

}

If the Bridge is not enabled (paused), this means we can't use it. So we are preventing Depositing and Withdrawing from that Bridge, but the problem is that canceling Messages is not checking this.

Bridge.sol#L243-L246

function cancelRequest(

uint256[] memory payload,

uint256 nonce

) external {

// @audit No checking if the Bridge is enabled or not

❌️ IStarknetMessaging(_starknetCoreAddress).cancelL1ToL2Message( ... );

Request memory req = Protocol.requestDeserialize(payload, 0);

_cancelRequest(req);

emit CancelRequestCompleted(req.hash, block.timestamp);

}

When we cancel a message from Bridge, we withdraw the Tokens from Bridge, and if the Bridge is paused this thing should not occur, as the Bridge interactions should be paused, and we should not be able to deposit or withdraw tokens from it.

Impact

The ability to interact with the Bridge and cancel messages even if the Bridge is disabled, in addition to the ability to withdraw the tokens in the canceled message.

Tools Used

Manual Review

Recommendations

Check that the Bridge is enabled when canceling the message.

diff --git a/apps/blockchain/ethereum/src/Bridge.sol b/apps/blockchain/ethereum/src/Bridge.sol

index e62c7ce..f74f3f5 100644

--- a/apps/blockchain/ethereum/src/Bridge.sol

+++ b/apps/blockchain/ethereum/src/Bridge.sol

@@ -244,6 +244,9 @@ contract Starklane is IStarklaneEvent, UUPSOwnableProxied, StarklaneState, Stark

uint256[] memory payload,

uint256 nonce

) external {

+ if (!_enabled) {

+ revert BridgeNotEnabledError();

+ }

IStarknetMessaging(_starknetCoreAddress).cancelL1ToL2Message(

snaddress.unwrap(_starklaneL2Address),

felt252.unwrap(_starklaneL2Selector),

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

invalid-cancel-when-bridge-disable

Technically, if you cancel a message, the token is not really bridged. If you can withdraw, it means that the token has already been bridged. Those two funtions do not have to be disable when the bridge is. Moreover nothing should prevent users to get back their NFT.

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.