ArkProject: NFT Bridge

Vulnerability Details

in the whiteList function:

1. The function only updates the whitelist status for the given collection but doesn't handle the linked list structure properly.

2. When disabling a collection (setting enable to false), it should remove the collection from the linked list to maintain consistency.

3. When enabling a collection, it should add it to the end of the linked list if it's not already present.

4. The current implementation may lead to inconsistencies between the white_listed_list mapping and the actual linked list structure.

5. This can result in the getWhiteListedCollections function returning incorrect or incomplete results.

Impact

1. Whitelisted collections being omitted from getWhiteListedCollections

2. Potentially allowing non-whitelisted collections to be used in deposit_tokens

3. The inconsistency could lead to allowing unauthorized collections to be bridged between L1 and L2.

4. It also affects the transparency of the system, as querying whitelisted collections provides inaccurate information.

PoC flow:

a. Admin whitelists Collection A

b. Admin whitelists Collection B

c. Admin removes Collection A from whitelist

d. getWhiteListedCollections still returns both A and B

e. User can still deposit tokens from Collection A, bypassing the whitelist check

Recommendations

To fix this, the function should properly update the linked list structure when enabling or disabling collections, ensuring that the list remains consistent with the whitelist status of each collection.