ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

_cancelRequest donot check for successul execution of a call, which can lead to cancelling a request without a success call.

satyam

Summary
_cancelRequest donot check for successul execution of a call, which can lead to cancelling a request without a success call.

Vulnerability Detail
The cancelRequest function can be called by a user to cancel any call that he genrated, but their is an issue under _cancelRequest internal function, which do not check if the call that was made for cancel is successfull or not, that can cause an issue which allow the function to execute a cancel call without actually cancelling the call.

function _cancelRequest(Request memory req) internal {

uint256 header = felt252.unwrap(req.header);

CollectionType ctype = Protocol.collectionTypeFromHeader(header);

address collectionL1 = req.collectionL1;

for (uint256 i = 0; i < req.tokenIds.length; i++) {

uint256 id = req.tokenIds[i];

@audit>> _withdrawFromEscrow(ctype, collectionL1, req.ownerL1, id);

}

as we can see under the _cancelRequest function their is no check whether the call is successful or not, which can lead to the issue described above.

Impact
cancel request call can work even after an unsuccessfull execution.

Tools Used

Recommendations
Add a check if the request is successfull or not

bool wasWithdrawn = _withdrawFromEscrow(ctype, collectionL1, req.ownerL1, id);

if (!wasWithdrawn) {

revert(); // or implement a code as like in withdrawToken function

}

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

invalid-_withdrawFromEscrow-result-not-checked

To cancel a message, it has to be sent to the Starknet Core, otherwise it reverts. Therefore, to cancel a request, a token will always be escrowed. There is no impact here because the described case will never happen, that’s why check that boolean is not useful.

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.