ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Use of CREATE method is suspicious of reorg attack

745fe9f9c2

Summary

functions use the CREATE method where the address derivation depends only on the Deployer nonce. This is susceptible to reorg attacks.

Vulnerability Details

The deployERC721Bridgeable function deploys a quest contract using the create, where the address derivation depends only on the nonce.

At the same time, some of the chains (Polygon, Optimism, Arbitrum) to which the Deployer will be deployed are suspicious of the reorg attack.

https://polygonscan.com/blocks_forked

function deployERC721Bridgeable(

string memory name,

string memory symbol

)

public

returns (address)

{

address impl = address(new ERC721Bridgeable()); //@audit reorg attack

bytes memory dataInit = abi.encodeWithSelector(

ERC721Bridgeable.initialize.selector,

abi.encode(name, symbol)

);

return address(new ERC1967Proxy(impl, dataInit)); //@audit reorg attack

}

function deployERC1155Bridgeable(

string memory uri

)

public

returns (address)

{

address impl = address(new ERC1155Bridgeable());//@audit reorg attack

bytes memory dataInit = abi.encodeWithSelector(

ERC1155Bridgeable.initialize.selector,

abi.encode(uri)

);

return address(new ERC1967Proxy(impl, dataInit));//@audit reorg attack

}

Impact

If users rely on the address derivation in advance or try to deploy the wallet with the same address on different EVM chains, any funds sent to the wallet could potentially be withdrawn by anyone else. All in all, it could lead to the theft of user funds.

Tools Used

Manual Review

Recommendations

Deploy the quest contract via create2 with salt that includes msg.sender .

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

invalid-reorg-attack-create

`_l1ToL2Addresses` and `_l2ToL1Addresses` can only be set by the bridge owner or at the deployment in `withdrawTokens`. Even if there is a reorg, the contract will be deployed on a new address which won’t change anything to bridge tokens. No impact.

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.