Lack of Gas Fee estimation in depositTokens Function Leading to Potential Fund Loss and NFT Stuck Risk
Summary
This audit report addresses a significant issue found in the depositTokens function of the cross-chain NFT bridge protocol. The function currently lacks a mechanism to determine or adjust the gas fee required on the destination chain. This oversight may result in users either overpaying for gas or, conversely, providing insufficient gas, leading to NFTs potentially getting stuck during the bridging process.
Vulnerability Details
The depositTokens function is responsible for handling the transfer of NFTs from ethereum to starknet and vice versa. However, it does not include any logic to determine or estimate the appropriate gas fee for transactions on the destination chain.
Overpayment Risk: Users who provide too much gas will overpay, resulting in unnecessary loss of funds. This occurs because the excess gas sent is not refunded or adjusted.
Underpayment Risk: Users who send too little gas may find that their NFTs get stuck, as the transaction on the destination chain may fail or remain pending due to insufficient gas. This situation can lead to significant delays or even permanent loss of access to the NFT.
Impact
Without an appropriate mechanism to handle gas fees, users are exposed to financial losses and operational risks. NFTs, which can be valuable, may become inaccessible or lost if the transaction fails on the destination chain due to incorrect gas fees.
Tools Used
Manual Review
Recommendations
Integrate a mechanism within the depositTokens function to estimate and validate the gas fee required for the destination chain. This can involve:
Gas Estimation API: Utilize an API or oracle service to dynamically calculate the appropriate gas fee for transactions on the destination chain, adjusting the user's input accordingly.
User Notifications: Provide warnings or alerts to users when their specified gas fee is either too high or too low, allowing them to adjust their transaction parameters before proceeding.
Develop a refund mechanism within the depositTokens function that returns any excess gas to the user if the transaction is completed with less gas than provided. This prevents unnecessary financial loss for users who overestimate gas fees.
Lead Judging Commences
finding-not-enough-fee-can-block-NFT
Impact: Medium/High. Need an admin to start a cancellation and wait for 5 days once done. DoS > 5 days. Likelyhood: Low. Everytime a wallet/or a user do not send enough gas
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.