ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

There is no way to change Bridgable ERC721 collections bytecode in `L1Bridge`.

alqaqa

Vulnerability Details

When Deploying a new ERC721 collection on L1, we are creating a new instance of ERC721Bridgeable(), and deploy it as a Proxy to be able to upgrade it.

Deployer.sol#L30

function deployERC721Bridgeable( ... ) ... {

❌️ address impl = address(new ERC721Bridgeable());

...

return address(new ERC1967Proxy(impl, dataInit));

}

Since this interface ERC721Bridgeable is a constant bytecode when compiling the contract, it will make the code logic of ERC721 that will get deployed when withdrawing from L1 immutable and we can't change its logic.

If we checked L2Bridge we will find this is not how it works, where it supports changing the logic of the ERC721 collection that will get deployed on L2. There is a function called set_erc721_class_hash() which changes the class_hash of the ERC721 collection addresses (which is like changing the bytecode in EVM/solidity).

bridge.cairo#L220-L223

fn set_erc721_class_hash(ref self: ContractState, class_hash: ClassHash) {

ensure_is_admin(@self);

self.erc721_bridgeable_class.write(class_hash);

}

And by changing erc721_bridgeable_class the newly created NFTs collections on L2 will have the Logic that represents that class_hash.

bridge.cairo#L448-L455

let l2_addr_from_deploy = deploy_erc721_bridgeable(

❌️ self.erc721_bridgeable_class.read(),

salt,

req.name.clone(),

req.symbol.clone(),

req.base_uri.clone(),

starknet::get_contract_address(),

);

So in L2Bridge we will be able to change the Code Logic of the ERC721 collection that will get deployed, but in L1Bridge we will not be able to do this. which means that the two Bridges are not consistent.

Tools Used

Manual Review

Recommendations

Make the bytecode a variable that can be changed, and since there is no constructor argument this will be enough.
Make the creation using create opcode, with providing that bytecode variable.

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Appeal created

alqaqa Submitter

about 1 year ago

n0kto Lead Judge

about 1 year ago

n0kto Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!