Malicious already not whitelisted collection can use the bridge
Summary
The NFT bridge has a whitelisting mechanism where collections can be whitelisted and allowed to use the protocol if the whitelist flag is enabled within the protocol. However, this design does not factor in cases where a previously whitelisted collection is removed from the whitelist because it was a malicious collection. Malicious collections should not be allowed back to the bridge.
Consider the following scenario:
Collection A is whitelisted to be used in the NFT bridge and the whitelist flag is set to True only permitting allowed collections to use the bridge.
Collection A is determined to be malicious and now it is removed from the whitelist.
The protocol decides to set the whitelistEnabled flag to false permitting all kinds of collections to use the bridge.
At this point, the malicious bridge is allowed back to the bridge.
Vulnerability Details
The _isWhitelistedfunction is implemented as follows:
Solidity applies the short-circuiting rules as seen here https://docs.soliditylang.org/en/latest/types.html meaning once !``whiteListedEnabled_evaluates to false then the __whiteList[collection]`check would not evaluated.
Impact
Malicious collections that were previously removed from the whitelist can still use the bridge.
Tools Used
Recommendations
Consider removing the !``whiteListEnabled_from the _isWhiteListedfunction check.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.