ArkProject: NFT Bridge

Summary

The Starknet bridge contract currently expects certain functions (name and symbol) of the ERC721 contract to return a value of type ByteArray. However, in versions of OpenZeppelin (OZ) before v0.10.0, these functions return a value of type felt252. This change in return type causes the bridge contract to be incompatible with NFT collections that were deployed using OZ v0.9.0 or any earlier version.

Vulnerability Details

The Starknet bridge contract defines the ERC721Metadata structure as follows:

In this definition, the name and symbol fields are expected to be of type ByteArray.

When fetching metadata for an NFT collection, the following function is used:

This function retrieves the name and symbol fields using the Dispatcher pattern, assuming these fields are of type ByteArray.

However, according to the OpenZeppelin documentation, in OZ v0.9.0 and earlier, the name and symbol functions return a felt252 type instead of ByteArray.

Because of this discrepancy, NFT collections that were deployed using OZ v0.9.0 or earlier are not compatible with the current Starknet bridge contract, which expects the newer ByteArray type.

Impact

NFT collections that rely on older versions of the OpenZeppelin library (v0.9.0 or earlier) cannot be supported by the Starknet bridge contract. This limits the interoperability and usability of these NFTs within the ecosystem.

Tools Used

Manual Review

Recommendations

To address this issue, it is recommended that the Starknet bridge contract should use a low-level call (call_contract_syscall) instead of the Dispatcher pattern when fetching the name and symbol fields. This approach would allow the bridge contract to retrieve the return data directly and then parse it into the expected ByteArray type, ensuring compatibility with NFT collections deployed with older versions of OpenZeppelin.