ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

Dead loop in `bridge.cairo::_white_list_collection` may lead DoS

lazydog

Summary

Lack update of prev may make bridge.cairo::_white_list_collection stuck in dead loop and the whitelist won't be updated correctly.

Vulnerability Details

In the bridge.cairo::_white_list_collection removal branch loop, prev isn't updated to next.

// change head
if prev == collection {
let (_, next) = self.white_listed_list.read(prev);
self.white_listed_list.write(collection, (false, no_value));
self.white_listed_head.write(next);
return;
}
// removed element from linked list
loop {
let (active, next) = self.white_listed_list.read(prev);
if next.is_zero() {
// end of list
break;
}
if !active {
break;
}
if next == collection {
let (_, target) = self.white_listed_list.read(collection);
self.white_listed_list.write(prev, (active, target));
break;
}
};
self.white_listed_list.write(collection, (false, no_value));

When active is true and next is neither zero nor collection, it gets stuck in dead loop. The removal will spend all gas and fail, and lead the upper level call to revert.

the linked list is like

prev(true) --> not_collection(true) --> ...

Meanwhile, in a normal removal scenario, the whilelist won't be updated correctly also because the linked list isn't linked correctly.

Impact

  1. Dead loop leads DoS

  2. The whitelist can't get updated correctly

Tools Used

manual review

Recommendations

add prev=next

// change head
if prev == collection {
let (_, next) = self.white_listed_list.read(prev);
self.white_listed_list.write(collection, (false, no_value));
self.white_listed_head.write(next);
return;
}
// removed element from linked list
loop {
let (active, next) = self.white_listed_list.read(prev);
if next.is_zero() {
// end of list
break;
}
if !active {
break;
}
if next == collection {
let (_, target) = self.white_listed_list.read(collection);
self.white_listed_list.write(prev, (active, target));
break;
}
+ prev=next;
};
self.white_listed_list.write(collection, (false, no_value));
Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-L2-unwhitelist-from-third collection-impossible

Likelyhood: High, owner can only unwhitelist the 2 first collections. Impact: Medium/High, owner has to empty the list to remove any collection, and replace all the new ones.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.