ArkProject: NFT Bridge

Summary

The protocol has disabled the auto_ withdrawmechanism of tokens on Ethereum Bridge contract probably based on an audit report as seen in the code comments here https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L170

However, the autowithdraw mechanism is still enabled on bridge.cairocontract and users can still set this to true indicating they would want to auto withdraw their tokens.

Given that the implementation on Ethereum reverts once the header has an autowithdrawflag set, it would mean that all transactions from Starknet users with autowithdraw flag would revert.

Vulnerability Details

The Ethereum Bridge contract does not support auto withdrawal of tokens as seen here: https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L169-L173

However, in Starknet, this mechanism is till supported whenever a user wants to bridge their tokens from Starknet to Ethereum as seen here: https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/starknet/src/bridge.cairo#L242-L290

Therefore, the user transaction to auto withdraw in the bridge would always revert leading to a DoS.

Impact

Starknet users who would want to auto withdraw their tokens will always revert because this feature is disabled on Ethereum.use_withdraw_auto: bool,Tools Used

Recommendations

Disable this ability on Starknet by removing the use``withdrawauto_ parameter in deposit_Tokens_ function in bridge.cairo contract.