ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

token may be lost on starknet

745fe9f9c2

Summary

token may be lost on starknet

Vulnerability Details

the mint_from_bridge function use unsafe method _mint to mint token to an address , however in OpenZeppelin document there is a warning

WARNING: This method may lead to the loss of tokens if to is not aware of the ERC721 protocol.

https://github.com/OpenZeppelin/cairo-contracts/blob/3d5bdc523935e8cb378672810ab468f652263642/packages/token/src/erc721/erc721.cairo#L533C13-L534C22

fn mint_from_bridge(ref self: ContractState, to: ContractAddress, token_id: u256) {
assert(
starknet::get_caller_address() == self.bridge.read(),
'ERC721: only bridge can mint'
);
/// @audit token may be lost WARNING: This method may lead to the loss of tokens if `to` is not aware of the ERC721
/// protocol. See https://github.com/OpenZeppelin/cairo-contracts/blob/3d5bdc523935e8cb378672810ab468f652263642/packages/token/src/erc721/erc721.cairo#L533C13-L534C22
self.erc721._mint(to, token_id);
}
fn mint(ref self: ContractState, to: ContractAddress, token_id: u256) {
self.ownable.assert_only_owner();
self.erc721._mint(to, token_id); //@audit unsafe mint
}

Impact

This method may lead to the loss of tokens if to is not aware of the ERC721

Tools Used

Manual Review

Recommendations

use safe_mint method

Updates

Lead Judging Commences

n0kto Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Appeal created

745fe9f9c2 Submitter
11 months ago
n0kto Lead Judge
11 months ago
n0kto Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.