ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

The `Bridge::startRequestCancellation` function should not have `onlyOwner` modifier

bube

Link

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L223-L226

Summary

The function Bridge::startRequestCancellation has modifier onlyOwner that prevents the users to call the function.

Vulnerability Details

The function Bridge::startRequestCancellation is used to start the cancellation of a given request:

function startRequestCancellation(
uint256[] memory payload,
uint256 nonce
@> ) external onlyOwner {
IStarknetMessaging(_starknetCoreAddress).startL1ToL2MessageCancellation(
snaddress.unwrap(_starklaneL2Address),
felt252.unwrap(_starklaneL2Selector),
payload,
nonce
);
Request memory req = Protocol.requestDeserialize(payload, 0);
emit CancelRequestStarted(req.hash, block.timestamp);
}

The function should be called by anyone, but it has onlyOwner modifier. This issue is reported in the previous audit and it is marked as Fixed. Also, the sponsors confirm that all issues from the previous audit are Fixed. But actually this issue is not Fixed.

Impact

Any user should be able to initiate cancellation but actually only the owner can call the Bridge::startRequestCancellation function.

Recommendations

Remove the onlyOwner modifier in the Bridge::startRequestCancellation function.

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.