ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Issue with Resetting the `escrow` Flag After NFT Withdrawal on the Starknet Bridge

bladesec

Summary

There is a vulnerability in the Starknet bridge contract where the escrow flag is not reset when an NFT is withdrawn. This flaw prevents the NFT from being withdrawn again in the future, creating a risk of permanent loss for the owner.

Vulnerability Details

The issue occurs in the withdraw_auto_from_l1 function within the Starknet bridge contract. This function checks whether the escrow flag is set for a given NFT. If the flag is set, the contract transfers the NFT from the bridge contract to the intended recipient. If the flag is not set, the contract assumes the NFT does not exist on Starknet and mints a new one instead. The relevant code is as follows:

let is_escrowed = !self.escrow.read((collection_l2, token_id)).is_zero();
if is_escrowed {
IERC721Dispatcher { contract_address: collection_l2 }
.transfer_from(from, to, token_id);
} else {
if (req.uris.len() != 0) {
let token_uri = req.uris[i];
IERC721BridgeableDispatcher { contract_address: collection_l2 }
.mint_from_bridge_uri(to, token_id, token_uri.clone());
} else {
IERC721BridgeableDispatcher { contract_address: collection_l2 }
.mint_from_bridge(to, token_id);
}
}

The problem arises because, after the NFT is successfully withdrawn, the contract does not reset the escrow flag. This oversight leads to a situation where the NFT cannot be withdrawn again if it is transferred back to the Starknet bridge.

Here’s a step-by-step example of how this issue could manifest:

  1. An NFT is first transferred from Starknet to Ethereum via the Starknet bridge. This action sets the escrow flag for the original owner on Starknet.

  2. The user then transfers the NFT from Ethereum back to Starknet. The NFT is moved from the bridge contract to the user, but the escrow flag remains set, as it is not reset after the withdrawal.

  3. Later, the same NFT is bridged back to Ethereum, but this time through a different bridge service, not the Ark bridge.

  4. Finally, the user attempts to bring the NFT back to Starknet once more.

  5. Because the escrow flag is still set, and the NFT is no longer in the contract, the system fails to recognize the NFT's existence on Starknet, preventing any further withdrawals.

As a result, the user may lose access to the NFT permanently.

Impact

This vulnerability can lead to a situation where users are unable to withdraw their NFTs, potentially resulting in the permanent loss of their assets.

Tools Used

Manual Review

Recommendations

To resolve this issue, the escrow flag should be reset after an NFT is withdrawn, similar to how it is handled in the corresponding Solidity bridge contract. This will ensure that the NFT can be withdrawn again in the future without any issues.

Updates

Lead Judging Commences

n0kto Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

finding-L2-withdrawing-do-not-clean-escrow-mapping

Impact: Incorrect state without any other impact, which deserves a Low according to CodeHawks documentation.

Appeal created

n0kto Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-L2-withdrawing-do-not-clean-escrow-mapping

Impact: Incorrect state without any other impact, which deserves a Low according to CodeHawks documentation.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.