NFTBridge
60,000 USDC
View results
Submission Details
Severity: high
Valid

NFT contract deployed by L1 Bridge cannot be upgraded, nor can its ownership be transferred.

Summary

ERC721 contract deployed by L1 Bridge.sol when withdrawTokens() is called cannot be upgraded or have their ownership transferred.

Vulnerability Details

When the ERC721 NFT contract is deployed by the L1 bridge contract, the bridge becomes the owner of the NFT contract. As a result, only the bridge can call transferOwnership() and upgradeTo() on the NFT contract; otherwise, the transaction will revert. However, the L1 bridge does not expose or implement functions to invoke these transfer and upgrade operations on the NFT contract.

Impact

  • The overall design of ArkProject incorporates upgradeable contracts for both the L1 and L2 sides. However, due to the missing capability in the L1 bridge, the L1 ERC721 NFT contract cannot be upgraded.

  • The ownership of the NFT contract can never be changed.

Tools Used

Manual

Recommendations

Just as the L2 bridge exposes the collection_upgrade() and collection_transfer_ownership() functions, which can only be called by the L2 bridge admin, the L1 bridge should similarly implement collectionUpgrade() and collectionTransferOwnership() functions. These should be callable only by the L1 bridge admin to handle upgrades and ownership transfers of L1 NFT collections.

Updates

Lead Judging Commences

n0kto Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-no-transferOwnership-or-upgrade-for-collections-in-CollectionManager

Likelyhood/Impact: High, it will never (until an upgrade) be able to update or transfer the ownership of any collections created on L1.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.