Summary

This audit report highlights a critical vulnerability in the cross-chain NFT bridge protocol that operates between Ethereum and StarkNet. The issue is specifically related to the Bridge.sol and UUPSProxied.sol contracts, where the disableInitializers is not called in the contructor in Bridge.sol and UUPSProxied.sol. This omission poses a severe risk as it allows potential attackers to initialize the implementation contracts directly, leading to unauthorized access and potential exploitation.

Vulnerability Details

Implementation Contracts: In the UUPS (Universal Upgradeable Proxy Standard) pattern, implementation contracts are not supposed to be directly initialized. Instead, initialization should occur via the proxy. The disableInitializers function is intended to lock the initializer functions once the contract has been deployed, ensuring that no further initializations can occur directly on the implementation contract.

Risk: Without disabling initializers, an attacker could potentially call the initialize function on the implementation contract, allowing them to gain control or manipulate the state of the contract, which could lead to unauthorized transfers, data corruption, or other malicious actions.

Impact

If exploited, this vulnerability could lead to complete control over the implementation contracts by unauthorized parties, resulting in the loss or theft of NFTs, disruption of cross-chain operations, or other severe consequences.

Tools Used

Manual Review

Recommendations

Call disableInitializers in Constructors

To mitigate this vulnerability, the disableInitializers function should be called in the constructors of both Bridge.sol and UUPSProxied.sol. This will lock the initializer functions, preventing them from being called on the implementation contracts.