ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

The use of abi.encode inside the abi.encodeWithSelector function calls for the initialize functions appears to be incorrect.

0xshadow1

Summary:

The Deployer library employs abi.encodeWithSelector to encode initialization data for the ERC721Bridgeable and ERC1155Bridgeable contracts. However, the use of abi.encode within these encoding calls may be incorrect, potentially leading to improper encoding of the initialization data. This could cause the proxy to fail in correctly initializing the implementation contracts.

Vulnerability Details:

The dataInit used in the abi.encodeWithSelector function for initialization data may be improperly encoded. Specifically, the abi.encode function is used to encode parameters for the initialize functions of ERC721Bridgeable and ERC1155Bridgeable. If the parameters are not encoded correctly, the proxy contract will pass malformed initialization data to the implementation contract, leading to failures in setting up the contract state.

Impact:

Initialization Failures: If the initialization data is not correctly encoded, the initialize function in the implementation contract may not receive the correct parameters. This can result in improper initialization, leaving the contract in an uninitialized or partially initialized state.
Contract Usability: An uninitialized or incorrectly initialized contract can cause failures when interacting with the contract, affecting functionality such as token minting, transfers, or other critical operations.
Security Risks: Improper initialization can also introduce vulnerabilities if critical contract setup steps are skipped or executed with incorrect parameters.

Tools Used:

Manual review

Recommendations:

Verify Encoding of Initialization Data:
- Review the initialize functions in ERC721Bridgeable and ERC1155Bridgeable to ensure that the data encoded with abi.encode matches the expected parameters and format.
Example of Correct Encoding:

bytes memory dataInit = abi.encodeWithSelector(
ERC721Bridgeable.initialize.selector,
name,
symbol
);
For ERC1155Bridgeable, ensure that the URI parameter is encoded correctly:

bytes memory dataInit = abi.encodeWithSelector(
ERC1155Bridgeable.initialize.selector,
uri
);

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.