ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Users could lose hold of their tokens due to their counterpart addresses not being set on either chain

silver_eth

Vulnerability Details

If whitelist is not enabled or a collection has been whitelisted but its l2 counterpart has not been set then all calls to deposit on l2 except the first one will fail, the same is true of the reverse

```

on the l1bridge, the l2address is determined by

req.collectionL2 = _l1ToL2Addresses[collectionL1];

this would be address zero until said value is set
on l2, this would be called when trying to withdraw

fn verify_collection_address(

l1_req: EthAddress,

l2_req: ContractAddress,

l1_bridge: EthAddress,

l2_bridge: ContractAddress,

) -> ContractAddress {

// L1 address must always be set as we receive the request from L1.

if l1_req.is_zero() {

panic!("L1 address cannot be 0");

}

// L1 address is present in the request and L2 address is not.

if l2_req.is_zero() {

if l2_bridge.is_zero() {

// It's the first token of the collection to be bridged.

return ContractAddressZeroable::zero();

}

} else {

// L1 address is present, and L2 address too.

if l2_bridge != l2_req {

panic!("Invalid collection L2 address");

}

if l1_bridge != l1_req {

panic!("Invalid collection L1 address");

}

l2_bridge

}

on the first call, both l2req and l2bridge would be the zero addresses or their respective chains hence the checks will pass, however on other calls the l2bridge woould have been set but the l1req would be address zero causing the code to panic
```

this can easily resolved by the admins setting counter address on either chain, however users that had already deposited would have to cancel request and wait the required five days before that can access their tokens back

Impact
users would lose hold of their tokens for a certain amount of time

Tools Used

manual analysis

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-first-bridgeof-a-collection-L1<->L2-do-not-sync-addresses

Likelyhood: High, any collections bridged, without bridge owner action, will be unable to bridge back. Impact: High, L2 -> L1 tokens will be stuck in the bridge. L1 -> L2 will need to ask for a cancellation.

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.