ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Function is marked payable but `msg.value` isn't handled, funds can get stuck.

unRekt

Summary

Functions are marked payable buy msg.value isn't handled, funds can get stuck.

Vulnerability Details

withdrawTokens function

The Starklane::withdrawTokens function is marked payable.

function withdrawTokens(
uint256[] calldata request
)
external
@> payable
returns (address)
{/*function logic*/}

The StarklaneMessaging :: addMessageHashForAutoWithdraw function is marked payable

function addMessageHashForAutoWithdraw(
uint256 msgHash
)
external
@> payable
onlyOwner
{
bytes32 hash = bytes32(msgHash);
if (_autoWithdrawn[hash] != WITHDRAW_AUTO_NONE) {
revert WithdrawMethodError();
}
_autoWithdrawn[hash] = WITHDRAW_AUTO_READY;
emit MessageHashAutoWithdrawAdded(hash);
}

link to code

But there is no handling of msg.value in the function. If funds are sent to this function, it can get stuck.

Impact

Funds can get stuck

Tools Used

Manual review

Recommendations

Remove the payable keyword or handle msg.value .

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.