Summary

The protocol utilizes the transfer_from() function, placing the responsibility on the caller to ensure that the recipient can accept ERC721 transfers. However, this confirmation is not adequately enforced.

Vulnerability Details

The ArkProject currently uses the transferfrom() function in the withdrawautofroml1() https://github.com/Cyfrin/2024-07-ark-project/blob/main/apps/blockchain/starknet/src/bridge.cairo#L161 and escrow_deposit_tokens() https://github.com/Cyfrin/2024-07-ark-project/blob/main/apps/blockchain/starknet/src/bridge.cairo#L418 functions within bridge.cairo, as well as in the test scenarios of erc721_bridgeable.cairo. However, this function places the responsibility on the caller to confirm that the recipient is capable of receiving ERC721 transfers, otherwise the NFTs may be permanently lost. Since this confirmation isn't performed, the protocol should implement a mechanism to handle this or switch to using the IERC721::safe_transfer_from function.

More information on this can be found at https://docs.openzeppelin.com/contracts-cairo/0.11.0/erc721

Impact

NFTs can be lost when using transfer_from() because it doesn't include a confirmation mechanism.

Tools Used

Manual Review

Recommendations

Using safe_transfer_from() helps prevent loss, but it's important to note that it introduces an external call, which could potentially create a reentrancy vulnerability.