ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Lack of Integrity Check in `withdraw_auto_from_l1` Function of Starknet Bridge Contract

bladesec

Summary

The withdraw_auto_from_l1 function in the Starknet bridge contract is designed to handle the withdrawal of bridged NFTs. However, the function currently lacks proper validation of the request data. This flaw allows an attacker to manipulate the request data, potentially leading to the unauthorized withdrawal or minting of NFTs from the bridge.

Vulnerability Details

Below is the code snippet of the withdraw_auto_from_l1 function:

#[l1_handler]
fn withdraw_auto_from_l1(
ref self: ContractState,
from_address: felt252,
req: Request
) {
ensure_is_enabled(@self);
assert(self.bridge_l1_address.read().into() == from_address,
'Invalid L1 msg sender');
// TODO: recompute HASH to ensure data are not altered.
// TODO: Validate all fields the request (cf. FSM).
let collection_l2 = ensure_erc721_deployment(ref self, @req);
let _ctype = collection_type_from_header(req.header);
// TODO: check CollectionType to support ERC1155 + metadata.
... // -> Iterate through req.ids and either transfer/mint NFTs
}

Explanation

In this code snippet, the function first checks if the bridge is enabled and ensures that the message originated from the L1 bridge by verifying the from_address. However, it does not validate the actual contents of the req object, which contains critical data required for the NFT withdrawal process. This leaves the function vulnerable to potentially malicious requests that could exploit the lack of data integrity checks.

Missing Security Measures

  1. Hash Recalculation: The comment // TODO: recompute HASH to ensure data are not altered. indicates that the function should include a step to recalculate and verify the hash of the incoming request data. This would ensure that the data has not been tampered with during transmission.

  2. Field Validation: The function should also validate all fields within the req object to ensure they contain the expected values. The note // TODO: Validate all fields the request (cf. FSM) suggests that this validation is necessary but currently missing.

Impact

If an attacker succeeds in exploiting this vulnerability, they could potentially steal bridged NFTs by manipulating the request data. Additionally, the attacker might be able to mint new NFTs without proper authorization, leading to further losses and damage to the bridge’s integrity.

Tools Used

Manual review

Recommendations

To mitigate this vulnerability, the following actions should be taken:

  1. Request Data Validation: Implement a robust validation mechanism that ensures the integrity and correctness of all fields within the req object, similar to the validation processes used in Solidity smart contracts.

  2. Hash Verification: Include the logic to recompute and verify the hash of the request data. This step should be mandatory to confirm that the data has not been altered in transit.

Updates

Lead Judging Commences

n0kto Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.