ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

token may be lost on starknet

745fe9f9c2

Summary

token may be lost on starknet

Vulnerability Details

the mint_from_bridge function use unsafe method _mint to mint token to an address , however in OpenZeppelin document there is a warning

WARNING: This method may lead to the loss of tokens if to is not aware of the ERC721 protocol.

https://github.com/OpenZeppelin/cairo-contracts/blob/3d5bdc523935e8cb378672810ab468f652263642/packages/token/src/erc721/erc721.cairo#L533C13-L534C22

fn mint_from_bridge(ref self: ContractState, to: ContractAddress, token_id: u256) {
assert(
starknet::get_caller_address() == self.bridge.read(),
'ERC721: only bridge can mint'
);
/// @audit token may be lost WARNING: This method may lead to the loss of tokens if `to` is not aware of the ERC721
/// protocol. See https://github.com/OpenZeppelin/cairo-contracts/blob/3d5bdc523935e8cb378672810ab468f652263642/packages/token/src/erc721/erc721.cairo#L533C13-L534C22
self.erc721._mint(to, token_id);
}
fn mint(ref self: ContractState, to: ContractAddress, token_id: u256) {
self.ownable.assert_only_owner();
self.erc721._mint(to, token_id); //@audit unsafe mint
}

Impact

This method may lead to the loss of tokens if to is not aware of the ERC721

Tools Used

Manual Review

Recommendations

use safe_mint method

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Appeal created

745fe9f9c2 Submitter
about 1 year ago
n0kto Lead Judge
about 1 year ago
n0kto Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.