ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

NFT will be struck in bridge contract in some case

AllTooWell

Summary

NFT will be struck in bridge contract in some case.

Vulnerability Details

A NFT series is first bridged from source chain to target chain. Then a new NFT contract on target chain is deployed and whitelisted. L1-L2 collection mapping is updated on traget chain. If L1-L2 collection mapping isn't updated on source chain timely, the new minted NFT is bridged back and will be stuck.

POC

A want to bridge his NFT from L1 to L2. This is the first bridge of this NFT series.

A call depositTokens on L1. The owner on L2 is A'.
withdraw_auto_from_l1 is called on L2. Because this NFT serise hasn't been bridged yet. A new NFT contract is deployed. The L1-L2 collection mappings on L2 are to be set and the new NFT contract is whitelisted. A' get new minted NFT.
A' want to bridge his newly acquired NFT back from L2 to L2 immediately. At this time the L1-L2 collection mappings on L1 hasn't updated yet.
A' call deposit_Tokens on L2. Because the NFT contract/collection is whitelisted. The call will be successful. The owner on L1 is A.
A call withdrawTokens on L1. Because l1Req > 0, l2Req > 0 and L1-L2 collection mappings isn't set with new collection on L2, withdrawTokens will revert.

CollectionManager::_verifyRequestAddresses

if (l2Req > 0 && l1Req > address(0)) {

if (l1Mapping != l1Req) {

@ revert InvalidCollectionL1Address();

} else if (l2Mapping != l2Req) {

revert InvalidCollectionL2Address();

} else {

// All addresses match, we don't need to deploy anything.

return l1Mapping;

}

At @, the call will revert.

Impact

NFT will be struck in bridge contract in some case.

Tools Used

manual

Recommendations

Don't whitelist a new deployed contract immediately. First set L1-L2 collection mappings on source chain and traget chain. Then whitelist the collection.

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-first-bridgeof-a-collection-L1<->L2-do-not-sync-addresses

Likelyhood: High, any collections bridged, without bridge owner action, will be unable to bridge back. Impact: High, L2 -> L1 tokens will be stuck in the bridge. L1 -> L2 will need to ask for a cancellation.

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.