ArkProject: NFT Bridge

Summary:

The Deployer library provides public functions deployERC721Bridgeable and deployERC1155Bridgeable for deploying ERC721 and ERC1155 contracts. Since these functions are public, any user can call them, potentially leading to unwanted or unauthorized deployments. Implementing proper access controls can mitigate this issue.

Vulnerability Details:

• Location: Deployer Library, deployERC721Bridgeable and deployERC1155Bridgeable Functions

• Description: The deployERC721Bridgeable and deployERC1155Bridgeable functions are declared as public, meaning they can be called by any address. This unrestricted access could lead to issues

Impact:

• Unwanted Deployments: Malicious actors could spam the blockchain with numerous contract deployments, leading to unnecessary transaction fees and blockchain bloat.

• Unauthorized Use: If deployment of these contracts should be restricted to certain addresses or roles, the lack of access control could lead to unauthorized usage.

Tools Used

Manual review

Recommendations:

1. Implement Access Control:

   • Introduce access control mechanisms to restrict who can call the deployment functions. One common approach is to use an onlyOwner modifier, which allows only the contract owner or specific addresses to deploy contracts.

2. Restrict Visibility (If Applicable):

   • If the deployment functions should only be called from within the contract or by specific contracts, consider changing their visibility to internal or private. This approach is less flexible but might be suitable in certain scenarios.

   Example with Internal Visibility:

   function deployERC721Bridgeable(

   string memory name,

   string memory symbol

   )

   internal // Restrict visibility to the contract itself

   returns (address)

   {

   // Function implementation

   }