This audit report highlights a critical vulnerability in the cross-chain NFT bridge protocol that operates between Ethereum and StarkNet. The issue is specifically related to the Bridge.sol
and UUPSProxied.sol
contracts, where the disableInitializers
is not called in the contructor in Bridge.sol
and UUPSProxied.sol
. This omission poses a severe risk as it allows potential attackers to initialize the implementation contracts directly, leading to unauthorized access and potential exploitation.
Implementation Contracts: In the UUPS (Universal Upgradeable Proxy Standard) pattern, implementation contracts are not supposed to be directly initialized. Instead, initialization should occur via the proxy. The disableInitializers
function is intended to lock the initializer functions once the contract has been deployed, ensuring that no further initializations can occur directly on the implementation contract.
Risk: Without disabling initializers, an attacker could potentially call the initialize
function on the implementation contract, allowing them to gain control or manipulate the state of the contract, which could lead to unauthorized transfers, data corruption, or other malicious actions.
If exploited, this vulnerability could lead to complete control over the implementation contracts by unauthorized parties, resulting in the loss or theft of NFTs, disruption of cross-chain operations, or other severe consequences.
Manual Review
disableInitializers
in ConstructorsTo mitigate this vulnerability, the disableInitializers
function should be called in the constructors of both Bridge.sol
and UUPSProxied.sol
. This will lock the initializer functions, preventing them from being called on the implementation contracts.
Likelyhood: Low/Medium Impact: Very low, the attacker can at most run the protocol on their side and lead a phishing campaign with an address deployed by Ark.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.