ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Improper Use of `call_contract_syscall` in Starknet Bridge Contract Leads to Denial of Service (DoS) During NFT Bridging

bladesec

Summary

In Starknet smart contracts, when an internal error occurs during the execution of the call_contract_syscall function, the entire transaction is reverted instead of returning an error (Err).

The Starknet bridge contract relies on this method to attempt calling token_uri and tokenURI functions to retrieve the URIs of NFTs. However, if these functions are not present in the NFT contract, the transaction will fail completely.

Vulnerability Details

According to the Starknet documentation, an internal error in call_contract_syscall can lead to the entire transaction being reverted:

If call_contract_syscall fails, this can’t be caught and will therefore result in the entire transaction being reverted.

Below is a snippet showing how call_contract_syscall is implemented in the Starknet bridge contract:

fn token_uri_from_contract_call(
collection_address: ContractAddress,
token_id: u256,
) -> Option<ByteArray> {
// TODO: add the interface detection when the standard is out.
let token_uri_selector = selector!("token_uri");
let tokenURI_selector = selector!("tokenURI");
let mut _calldata: Array<felt252> = array![];
token_id.serialize(ref _calldata);
let calldata = _calldata.span();
// As we use syscall, the return value is a raw span of serialized data.
// len: 0 -> empty
// len: 1 -> 'old' string
// len > 1 -> ByteArray
match starknet::call_contract_syscall(
collection_address,
token_uri_selector,
calldata,
) {
Result::Ok(span) => span.try_into(),
Result::Err(_e) => {
match starknet::call_contract_syscall(
collection_address, tokenURI_selector, calldata,
) {
Result::Ok(span) => span.try_into(),
Result::Err(_e) => {
Option::None
}
}
}
}
}

The contract first attempts to call the token_uri function. If this call fails, it then tries to call the tokenURI function as a fallback.

The vulnerability arises when an NFT collection does not implement the token_uri function. Instead of returning an error, the entire transaction is reverted, leading to the NFT bridge operation failing.

Impact

If an NFT collection does not have the token_uri function defined, users will not be able to bridge their NFTs using the bridge. This results in a Denial of Service (DoS) for those NFTs.

Tools Used

Manual Review

Recommendations

This issue does not affect NFT collections whose original contracts on L1, as the erc721_bridgeable contracts deployed on Starknet support token_uri function.

To mitigate this problem, when an admin whitelists an NFT collection on Starknet, they should specify whether the contract should call token_uri or tokenURI. This precaution will help avoid the issue described above.

Updates

Lead Judging Commences

n0kto Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Appeal created

bladesec Submitter
11 months ago
n0kto Lead Judge
11 months ago
n0kto Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.