Summary

The depositTokens function in the Starklane bridge contract allows users to transfer NFTs from Ethereum (L1) to Starknet (L2). However, the function does not validate the ids array, which represents the token IDs being transferred. Specifically, there are no checks to ensure that the ids array is non-empty or that it does not contain duplicate values. This oversight can lead to incorrect or unintended behavior during the bridging process.

Vulnerability Details

In the depositTokens function, the ids parameter is a list of token IDs that the user wishes to bridge. There are no safeguards in place to ensure that:

1. The ids array is not empty, which could result in an invalid transfer attempt.

2. The ids array does not contain duplicate values, which could lead to redundant or unintended token transfers.
   Failure to validate the input data could cause logical inconsistencies and potentially create security vulnerabilities in the bridging mechanism.

Impact

The lack of validation for the ids array could result in various issues, such as:

• Invalid Transfers: An empty array of token IDs would initiate a transfer request without any actual tokens to transfer, potentially locking funds or causing unnecessary gas consumption.

• Redundant Operations: Duplicate token IDs could lead to repeated operations on the same token, potentially causing unexpected behavior in both the smart contract and the overall bridging process.

Tools Used

Manual Code Review

Recommendations

To mitigate this issue, it is recommended to implement the following checks within the depositTokens function:

1. Ensure that the ids array is not empty before proceeding with the transfer.

2. Implement a mechanism to detect duplicate values in the ids array.