NFTBridge
60,000 USDC
View results
Submission Details
Severity: low
Invalid

Potential Loss of Funds When Escrowing Multiple ERC1155 Tokens with the Same ID

Summary

The _withdrawFromEscrow function in Escrow.sol may cause a loss of funds when multiple ERC1155 tokens with the same ID are escrowed from the same user. This issue arises because the _escrow mapping does not track the quantity of tokens, leading to incorrect state updates.

Vulnerability Details

The _escrow mapping only tracks whether a token ID is escrowed, not the quantity of tokens. After any successful withdrawal, the state is set to address(0x0), regardless of the number of tokens remaining. This can result in user tokens getting stuck in escrow, as the function does not correctly manage the balance of tokens.

Impact

This flaw can lead to the permanent loss of user tokens, as the remaining tokens in escrow cannot be withdrawn after the state is reset. It also introduces the risk of users losing access to their assets if multiple ERC1155 tokens are escrowed under the same ID.

Recommendations

To address this issue, consider either:

  1. Modifying the _escrow mapping to track the number of tokens escrowed, ensuring accurate state management for ERC1155 tokens.

  2. Removing ERC1155 token handling from this function if the system is not designed to manage multiple tokens under the same ID.

Implementing one of these changes will prevent users from losing access to their tokens and ensure the correct functioning of the escrow system.

Updates

Lead Judging Commences

n0kto Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope
Assigned finding tags:

invalid-ERC1155-not-in-scope

```compatibilities: Blockchains: - Ethereum/Starknet Tokens: - [ERC721](www.tokenstandard.com) ``` ``` function depositTokens( uint256 salt, address collectionL1, snaddress ownerL2, uint256[] calldata ids, bool useAutoBurn ) external payable { if (!Cairo.isFelt252(snaddress.unwrap(ownerL2))) { revert CairoWrapError(); } if (!_enabled) { revert BridgeNotEnabledError(); } CollectionType ctype = TokenUtil.detectInterface(collectionL1); if (ctype == CollectionType.ERC1155) { @> revert NotSupportedYetError(); } … } ```

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.