The _withdrawFromEscrow
function in Escrow.sol
may cause a loss of funds when multiple ERC1155 tokens with the same ID are escrowed from the same user. This issue arises because the _escrow
mapping does not track the quantity of tokens, leading to incorrect state updates.
The _escrow
mapping only tracks whether a token ID is escrowed, not the quantity of tokens. After any successful withdrawal, the state is set to address(0x0)
, regardless of the number of tokens remaining. This can result in user tokens getting stuck in escrow, as the function does not correctly manage the balance of tokens.
This flaw can lead to the permanent loss of user tokens, as the remaining tokens in escrow cannot be withdrawn after the state is reset. It also introduces the risk of users losing access to their assets if multiple ERC1155 tokens are escrowed under the same ID.
To address this issue, consider either:
Modifying the _escrow
mapping to track the number of tokens escrowed, ensuring accurate state management for ERC1155 tokens.
Removing ERC1155 token handling from this function if the system is not designed to manage multiple tokens under the same ID.
Implementing one of these changes will prevent users from losing access to their tokens and ensure the correct functioning of the escrow system.
```compatibilities: Blockchains: - Ethereum/Starknet Tokens: - [ERC721](www.tokenstandard.com) ``` ``` function depositTokens( uint256 salt, address collectionL1, snaddress ownerL2, uint256[] calldata ids, bool useAutoBurn ) external payable { if (!Cairo.isFelt252(snaddress.unwrap(ownerL2))) { revert CairoWrapError(); } if (!_enabled) { revert BridgeNotEnabledError(); } CollectionType ctype = TokenUtil.detectInterface(collectionL1); if (ctype == CollectionType.ERC1155) { @> revert NotSupportedYetError(); } … } ```
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.