ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

tokens may be minted to non ERC721 receivers

745fe9f9c2

Summary

withdrawTokens uses _mint rather than _safeMint and does not check that the receiver accepts ERC721 token transfers

Vulnerability Details

in withdrawTokens function if the _withdrawFromEscrow is not successful as we can see

if (!wasEscrowed) {
// TODO: perhaps, implement the same interface for ERC721 and ERC1155
// As we only want to deal with ERC1155 token with value = 1.
// Also, check what to do with URIs. If the URI storage is supported
// or not for ERC721. If supported, we may need to mint with an URI.
IERC721Bridgeable(collectionL1).mintFromBridge(req.ownerL1, id);
}

the function then mint an NFT to ownerL1

IERC721Bridgeable(collectionL1).mintFromBridge(req.ownerL1, id);
function mintFromBridge(address to, uint256 id)
public
onlyOwner {
_mint(to, id);
}

it will mint to req.ownerL1 , but mintFromBridge use _mint function which it not safe to mint an NFT , if the req.ownerL1 is a a contract that does not implement the onERC721Received method NFT will lost.

Impact

NFT will lost.

Tools Used

Manual review

Recommendations

Consider using safeMint.

Updates

Lead Judging Commences

n0kto Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Appeal created

745fe9f9c2 Submitter
11 months ago
n0kto Lead Judge
11 months ago
n0kto Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.