Failed L2 deposit are not handled
Summary
Deposit requests could fail for various reasons and as such the ownerof the L1 bridge has the liberty to cancel request and perhaps and retrieve assets deposited in the escrow back to the owner of the asset by calling cancelRequest(...)
Vulnerability Details
The same cannot be said of the L2, since the only assumption made before deposits are made in the L2 is that the L1 bridge is live. However if the transaction to L2 should fail for any reasons, there will be no way for the admin or owner of deposited NFTs to retrive the traansaction
For instance, if an L2 message is never processed by the sequencer, users will never be able to withdraw their tokens in L1 or retrieve it from the L2, and they need a way to cancel the message. Hence their tokens will be stuck because
Impact
NFTs could be locked in the L2 without a way to withdraw or retrieve them. This can block users from retrieving their NFTs when L2<>L1 transactions fail .
Tools Used
Manual review
Recommendations
When sending a message from L2 to L1, it is essential to consider the possibility that a message may never be processed. If possible allow the user or Admin to cancel transactions
Lead Judging Commences
invalid-no-L2-cancel-mecanism-without-any-root-cause
Lack of feature is not a bug. Moreover that’s more something that the Starknet Core should implement since there is no way for Ark to have trusted data, preventing double spending. Finally, there is no real root cause in those reports, only suppositions that something bad can happen.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.