ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Unused `use_deposit_burn_auto` Parameter in Ethereum Bridge: Potential for Confusion and Token Loss

Ginger Security

Summary

The use_deposit_burn_auto parameter is passed from the Starknet bridge to the Ethereum bridge, but it is not utilized in the Ethereum bridge's Solidity code. If this parameter is not used, it should be removed to avoid confusion. Additionally, if there are plans to implement an auto burn feature, it should include a check to ensure that only synthetic tokens are burned and not native ones to prevent the permanent loss of NFTs.

Vulnerability Details

The use_deposit_burn_auto parameter is passed from the Starknet bridge to the Ethereum bridge, where it is intended to control whether automatic burning of tokens should occur. However, the current Solidity implementation of the Ethereum bridge ignores the useAutoBurn parameter, rendering the use_deposit_burn_auto parameter redundant. This can lead to confusion for developers and users, as the parameter's purpose is not reflected in the Solidity code. Additionally, if an auto burn feature is to be implemented in the future, there is a risk of burning native tokens, which could lead to irreversible loss of NFTs if not properly checked.

Impact

Redundant Parameter: The presence of an unused parameter creates confusion and potential misconfiguration, as developers may expect it to have an effect based on its presence.
Potential for Token Loss: If auto burn functionality is implemented without appropriate checks, native tokens could be mistakenly burned, leading to a permanent loss of NFTs.
Increased Complexity: Unused parameters add unnecessary complexity to the code, making it harder to maintain and understand.

Recommendations

Remove Unused Parameter: If the use_deposit_burn_auto parameter is not intended to be used in the Ethereum bridge, remove it from the code to reduce confusion and simplify the contract.
Implement Auto Burn Safeguards: If implementing an auto burn feature, ensure that it includes checks to differentiate between synthetic and native tokens. This will prevent the accidental burning of native tokens.
Review Parameter Usage: Review the entire codebase to ensure that any parameters passed between the Starknet and Ethereum bridges are properly utilized. Ensure that there is no ambiguity regarding their purpose and effect.

Updates

Lead Judging Commences

n0kto Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.