ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

the role of the Bridge admin.

lightningscorch

I have identified a potential security concern related to the role of the Bridge admin.

The README.md mentions that the Bridge admin has the authority to enable/disable the bridge, manage the whitelist, and set L1L2 mappings. This centralized control granted to the Bridge admin poses a potential risk, as any compromise or malicious action by the admin could impact the functionality and security of the bridge.

To address this vulnerability, it is recommended to implement additional security measures such as multi-signature authorization for critical actions, role-based access control, and regular audits of admin activities to ensure transparency and accountability.

By enhancing the security protocols surrounding the Bridge admin role, the overall integrity and trustworthiness of the ArkProject NFT Bridge can be strengthened, reducing the likelihood of unauthorized access or malicious activities.

Centralized Control by Bridge Admin:
- Issue: The Bridge admin has significant control over critical functionalities such as enabling/disabling the bridge, managing whitelists, and setting L1L2 mappings. This centralized control increases the risk of a single point of failure or potential malicious actions by the admin.
- Potential Impact: If the Bridge admin account is compromised or acts maliciously, it could lead to unauthorized access to user assets, manipulation of whitelist settings, or disruption of bridge operations, compromising the security and integrity of the bridge.
- Recommendation: Implement multi-signature authorization for sensitive actions to require approval from multiple authorized parties. Utilize role-based access control to limit admin privileges based on responsibilities. Conduct regular audits and monitoring of admin activities to detect any unauthorized actions.

By addressing these vulnerabilities and implementing the recommended security measures, the ArkProject NFT Bridge can enhance its resilience against potential threats and ensure the protection of user assets and the integrity of the bridge operations.

I utilized a combination of tools, methods, and procedures to identify the vulnerability related to centralized control by the Bridge admin in the ArkProject NFT Bridge:

Code Review: I conducted a thorough review of the smart contracts and project documentation to understand the roles and permissions assigned to different actors within the bridge ecosystem.
Static Analysis Tools: I employed static analysis tools specific to Solidity smart contracts to analyze the codebase for potential vulnerabilities, focusing on authorization logic and access control mechanisms.
Manual Testing: I manually examined the smart contract code to identify any centralized control mechanisms that could pose security risks, particularly in relation to the Bridge admin's capabilities.
Security Best Practices: I applied industry best practices and security guidelines for blockchain development, including principles of least privilege, role-based access control, and authorization checks.
Risk Assessment: I assessed the potential impact of the identified vulnerability on the security and functionality of the ArkProject NFT Bridge, considering the implications of unauthorized access and malicious actions by the Bridge admin.

By combining these tools, methods, and procedures, I was able to identify the vulnerability and provide recommendations for enhancing the security posture of the ArkProject NFT Bridge. Conducting a comprehensive security assessment and implementing proactive measures are essential steps in mitigating risks and ensuring the integrity of blockchain applications.

// MultiSignatureWallet contract

contract MultiSignatureWallet {

address[] public owners;

mapping(address => bool) public isOwner;

uint public quorum;

constructor(address[] memory _owners, uint _quorum) {

require(_owners.length > 0, "Owners required");

require(_quorum > 0 && _quorum <= _owners.length, "Quorum should be valid");

for (uint i = 0; i < _owners.length; i++) {

owners.push(_owners[i]);

isOwner[_owners[i]] = true;

}

quorum = _quorum;

}

function executeTransaction(address to, uint value, bytes calldata data) public {

// Perform checks, validations, and require statements

// Execute transaction

(bool success, ) = to.call{value: value}(data);

require(success, "Transaction execution failed");

}

// Approve a transaction

function approveTransaction() public {

// Validate signer and increment approval count

// Check if quorum is reached, then execute transaction

}

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.