ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Improper Validation of Bridging Gas Fees Allows Users to Bypass Fee Payments

bladesec

Summary

The sendMessageToL2 function in the StarknetMessaging contract facilitates sending messages from the Ethereum network to the Starknet network. However, there is a critical oversight in how this function handles the gas fees associated with bridging. Specifically, the function does not verify whether the msg.value is sufficient to cover the bridging fee. This vulnerability enables users to send messages across the bridge while paying little to no fees, leading to potential revenue loss for the protocol.

Vulnerability Details

function sendMessageToL2(

uint256 toAddress,

uint256 selector,

uint256[] calldata payload

) external payable override returns (bytes32, uint256) {

require(msg.value > 0, "L1_MSG_FEE_MUST_BE_GREATER_THAN_0");

require(msg.value <= getMaxL1MsgFee(), "MAX_L1_MSG_FEE_EXCEEDED");

uint256 nonce = l1ToL2MessageNonce();

NamedStorage.setUintValue(L1L2_MESSAGE_NONCE_TAG, nonce + 1);

emit LogMessageToL2(msg.sender, toAddress, selector, payload, nonce, msg.value);

bytes32 msgHash = getL1ToL2MsgHash(toAddress, selector, payload, nonce);

// Note that the inclusion of the unique nonce in the message hash implies that

// l1ToL2Messages()[msgHash] was not accessed before.

l1ToL2Messages()[msgHash] = msg.value + 1;

return (msgHash, nonce);

}

In the code snippet above, the function only checks two things regarding the msg.value:

Whether msg.value is greater than zero.
Whether msg.value does not exceed the maximum allowed fee (getMaxL1MsgFee()).

However, the function does not verify if the msg.value is sufficient to cover the actual gas fees required for the bridge operation. This lack of a minimum fee check means that a user can send just 1 wei to meet the non-zero requirement, allowing them to send messages across the bridge almost for free.

Impact

This vulnerability could result in users exploiting the bridge by paying negligible fees. As a consequence, the protocol could face significant revenue losses, as users would be utilizing the bridging service without contributing their fair share of the fees.

Tools Used

Manual Review

Recommendations

The protocol’s documentation includes a section on estimating gas fees for bridging. The ideal approach to mitigating this vulnerability would involve calculating the bridging fee based on the size of the payload being sent. The sendMessageToL2 function should then verify that the msg.value provided by the user is at least equal to this calculated fee.

Alternatively, the protocol could set a minimum required gas fee and enforce that the msg.value is greater than or equal to this minimum amount.

Additionally, although not directly related to this issue, it is advisable to implement a mechanism that returns any excess gas fees to the user. This would ensure that users do not overpay for the bridging service.

Updates

Lead Judging Commences

n0kto Lead Judge 11 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-not-enough-fee-can-block-NFT

Impact: Medium/High. Need an admin to start a cancellation and wait for 5 days once done. DoS > 5 days. Likelyhood: Low. Everytime a wallet/or a user do not send enough gas

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.