NFTBridge
60,000 USDC
View results
Submission Details
Severity: medium
Valid

Users Cannot Withdraw Their NFTs When the Bridge is Disabled

Summary

The feature that disables the bridge is intended to block token transfers between L1 and L2 in case of security concerns. However, there is a flaw in this design. The function that allows users to withdraw their bridged NFTs also checks whether the bridge is enabled. If the bridge is disabled, users are unable to withdraw their NFTs, which is not the intended behavior.

Vulnerability Details

function withdrawTokens(
uint256[] calldata request
)
external
payable
returns (address)
{
if (!_enabled) {
revert BridgeNotEnabledError();
}
...
}

In the code snippet above, the withdrawal function checks if the bridge is enabled. If the bridge is not enabled, the function reverts, meaning it stops execution and no tokens are withdrawn.

This is problematic because the bridge's primary function is to manage the transfer of tokens between L1 and L2. Disabling the bridge should prevent new transfers but should not prevent users from withdrawing their existing NFTs. The current behavior of the contract mistakenly blocks withdrawals when the bridge is disabled, which is not what developers intended.

Impact

This bug prevents users from withdrawing their NFTs from the protocol, users might be unable to access their assets during critical times.

Tools Used

Manual Review

Recommendations

To fix this issue, the withdrawal function should not check the _enabled flag. This change should be applied to both bridge contracts to ensure that users can withdraw their NFTs regardless of whether the bridge is enabled or disabled.

Updates

Lead Judging Commences

n0kto Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-users-cannot-withdraw-while-bridge-disabled

Impact: Medium, token won’t be withdrawable until the bridge is enabled again. No real token loss. Likelyhood: Low/Medium, bridge would be disabled in case of emergency/upgrade/audit.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.