ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

NFTs Sent from Starknet to Ethereum with `use_withdraw_auto` Flag Set to True Will Be Stuck in the Bridge Contract and Cannot Be Withdrawn

bladesec

Summary

There is a critical issue in the NFT bridging process between Starknet and Ethereum. Although the auto-withdrawal feature has been disabled on the Ethereum side, users can still set the use_withdraw_auto flag to true on the Starknet bridge contract. If an NFT is transferred with this flag enabled, it will become stuck in the Ethereum bridge contract, rendering it impossible to withdraw. This results in the permanent loss of access to the NFT.

Vulnerability Details

Below is a code snippet from the Ethereum bridge contract responsible for handling the withdrawal of NFTs:

function withdrawTokens(

uint256[] calldata request

)

external

payable

returns (address)

{

if (!_enabled) {

revert BridgeNotEnabledError();

}

// Header is always the first uint256 of the serialized request.

uint256 header = request[0];

// Any error or permission fail in the message consumption will cause a revert.

// After message being consumed, it is considered legit and tokens can be withdrawn.

if (Protocol.canUseWithdrawAuto(header)) {

// 2024-03-19: disabled autoWithdraw after audit report

// _consumeMessageAutoWithdraw(_starklaneL2Address, request);

revert NotSupportedYetError();

} else {

_consumeMessageStarknet(_starknetCoreAddress, _starklaneL2Address, request);

}

// ...

}

In this code, the withdrawTokens function manages the withdrawal of NFTs from the Ethereum bridge contract. If the use_withdraw_auto flag is found to be true (indicated by the Protocol.canUseWithdrawAuto(header) function), the function immediately reverts with a NotSupportedYetError.

Impact

The impact of this vulnerability is severe. Users who mistakenly set the use_withdraw_auto flag to true while bridging their NFTs from Starknet to Ethereum will find that their NFTs get stuck in the Ethereum bridge contract. Due to the revert in the withdrawal function, these NFTs cannot be retrieved, effectively causing the user to lose their assets permanently.

Tools Used

Manual Review

Recommendations

To prevent this issue, the Starknet bridge contract should be modified to prevent users from setting the use_withdraw_auto flag to true.

Here is a suggested modification to the Starknet bridge contract:

fn deposit_tokens(

ref self: ContractState,

salt: felt252,

collection_l2: ContractAddress,

owner_l1: EthAddress,

token_ids: Span<u256>,

use_withdraw_auto: bool,

use_deposit_burn_auto: bool,

) {

ensure_is_enabled(@self);

assert(!self.bridge_l1_address.read().is_zero(), 'Bridge is not open');

+ assert(!use_withdraw_auto, 'Auto withdrawal is disabled');

// ...

}

Updates

Lead Judging Commences

n0kto Lead Judge 11 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-auto_withdrawn-L2-NFT-stuck

Impact: High, token will be stuck in L2 bridge. Likelyhood: Very low, option is available in L2 but has been disabled since March on L1, would be almost a user error.

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.