ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

User's bridged NFT cannot be withdrawn on L1

takarez

Summary

Vulnerability Details

The deposit_tokens of the bridge.cairo allow users to bridge tokens from the L2 ( starknet) to the ethereum mainnet (L1)

/// Deposits tokens to be bridged on the L1.

///

/// # Arguments

///

/// * `salt` - Randome salt to compute request hash.

/// * `collection_l2` - Address of the collection on L2.

/// * `owner_l1` - Address of the owner on L1.

/// * `tokens_ids` - Tokens to be bridged on L1.

/// * `use_withdraw_auto` - Tokens are automatically withdrawn on L1 using Starklane indexer.

/// * `use_deposit_burn_auto` - Tokens are automatically burnt on L2 once transferred using Starklane indexer.

///

However, there exist a vulnerability that will prevent users from withdrawing their bridged token (NFT) on the mainnet.

The issue here is that after an audit report, the use of use_withdraw_auto is disallowed, meaning a token cannot be withdrawn when the use_withdraw_auto is set to true from the L2 (starknet);

if (Protocol.canUseWithdrawAuto(header)) {

// 2024-03-19: disabled autoWithdraw after audit report

// _consumeMessageAutoWithdraw(_starklaneL2Address, request);

revert NotSupportedYetError();

the problem is , users can still initiate a bridge of their token (NFT) with the use_withdraw_auto as true, this is because it was never disallowed from the starknet side of the code, this will also means that users will never be able to withdraw their bridged assets (NFT) :

escrow_deposit_tokens(ref self, collection_l2, from, token_ids);

let collection_l1 = self.l2_to_l1_addresses.read(collection_l2);

let req = Request {

header: compute_request_header_v1(ctype, use_deposit_burn_auto, use_withdraw_auto),

hash: compute_request_hash(salt, collection_l2, owner_l1, token_ids),

collection_l1,

collection_l2,

owner_l1,

owner_l2: from,

name,

symbol,

base_uri,

ids: token_ids,

values: array![].span(),

uris,

new_owners: array![].span(),

};

Impact

Users bridging to the mainnet will have their assets stuck and unable to withdraw

Tools Used

manual review

Recommendations

Disable the user of the param on the L2 (starknet) also.

Updates

Lead Judging Commences

n0kto Lead Judge 11 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-auto_withdrawn-L2-NFT-stuck

Impact: High, token will be stuck in L2 bridge. Likelyhood: Very low, option is available in L2 but has been disabled since March on L1, would be almost a user error.

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.