NFTs can be locked due to no cancellation mechanism on L2 bridge
Summary
NFTs could be locked forever in bridge if L1 owner doesn't support ERC721 Reciever
Vulnerability Details
NFTs brigded from L2 can be withdraw on L1 side using `withdrawTokens` function. But if req.owner which was set when initiating a L2 request doesn't support ERC721 Reciever, safeTransferFrom will revert. So the request can never be consumed and the tokens will be locked forever in the bridge contract.
On L1 bridge such cases can be handled by initiating message cancellation call. But as there is no such implementation on L2 side the NFTs will be locked forever
Impact
Users might loose NFTs when bridged from L2
Tools Used
Manual review
Recommendations
Add a cancellation implementation from L2 side which will be useful in emergency cases
Lead Judging Commences
invalid-no-L2-cancel-mecanism-without-any-root-cause
Lack of feature is not a bug. Moreover that’s more something that the Starknet Core should implement since there is no way for Ark to have trusted data, preventing double spending. Finally, there is no real root cause in those reports, only suppositions that something bad can happen.
Appeal created
finding-withdraw-safeTransferFrom-to-no-onERC721Received-will-revert
Impact: High, NFT will be stuck in L2 bridge. Likelyhood: Very low, sending NFT to a contract not implementing that function would almost be a user error.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.