60,000 USDC
Submission Details
Severity:
Incorrect serialized request data in `DepositRequestInitiated` event
Summary
Vulnerability Details
In the Bridge::deposit_tokens(...) function, the DepositRequestInitiated event is emitted with the non-serialized request (req) instead of the serialized request (buf).
starknet/src/bridge.cairo#L276-L304
fn deposit_tokens(
ref self: ContractState,
salt: felt252,
collection_l2: ContractAddress,
owner_l1: EthAddress,
token_ids: Span<u256>,
use_withdraw_auto: bool,
use_deposit_burn_auto: bool,
) {
//@note req is the non serialized request
let req = Request {
...
};
...
//@note buf is the serialized request
let mut buf: Array<felt252> = array![];
req.serialize(ref buf);
starknet::send_message_to_l1_syscall(
self.bridge_l1_address.read().into(),
buf.span(),
)
.unwrap_syscall();
self.emit(DepositRequestInitiated {
hash: req.hash,
block_timestamp: starknet::info::get_block_timestamp(),
//@audit here we emit the non serialized request instead of the serialized one
@> req_content: req
});
}
Impact
This causes issues with the indexer, which relies on the serialized request data to process the event. See here for details on how the event is used by the indexer.
Tools Used
Manual review.
Recommendations
self.emit(DepositRequestInitiated {
hash: req.hash,
block_timestamp: starknet::info::get_block_timestamp(),
+ req_content: buf
- req_content: req
});
Prize pool breakdown
Total prize
60,000 USDC
nSLOC
2,30126 USDC / LOC
50,000 USDC
5,500 USDC
4,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.