ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Permanent locking up of tokens and DOS of bridge

pascal

Summary

Permanent locking up of tokens and DOS of bridge as L1 bridge does not call StarknetMessaging.sol directly

Vulnerability Details

Messages from starknet are manually consumed on L1 and the tokens are sent to owner_L1 which was computed in the request gotten from the L2(starknet). The issue arises in the way the message is consumed which follows;

withdrawTokens() in the L1 bridge tries to consume the message from starknet and calls _consumeMessageStarknet() an internal function in Messaging.sol which then calls StarknetMessaging.consumeMessageFromL2()

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L173-L175

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Messaging.sol#L99-L110

But as the cairo book states in https://book.cairo-lang.org/ch16-04-L1-L2-messaging.html#sending-messages-from-starknet-to-ethereum check the note at the end of this section it states that the entity calling StarknetMessaging.consumeMessageFromL2() must be the to_address that was passed in the argument on starknet which in this case is the L1 bridge and not Messaging.sol https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/starknet/src/bridge.cairo#L295-L298

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/starknet/src/bridge.cairo#L63-L64 so when StarknetMessaging.consumeMessageFromL2() is invoked by Messaging.sol and tries to consume the message it will always revert as msg.sender is used as an argument for hashing https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/lib/starknet/StarknetMessaging.sol#L153-L158 hence agreeing with the warning in the official cairo book hence message can never be consumed and tokens are lost permanently and bridge is DOS'd permanently.

Impact

Tokens are lost permanently and bridge is DOS'd permanently.

Tools Used

Manual Review

Recommendations

L1 bridge should call StarknetMessaging.consumeMessageFromL2() directly.

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.