ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Check for `payload.length` is performed after the tokens are deposited in the escrow in `Starklane::depositTokens`, in case `payload.length` is incorrect deposition will still happen.

tdey

Summary

The check for payload.length is performed after deposition of tokens to escrow, even if the length is incorrect the deposition will happen anyways which is not desirable.

Vulnerability Details

depositTokens function

In Starklane::depositTokens function the payload.length is checked here

@> if (payload.length >= MAX_PAYLOAD_LENGTH) {

revert TooManyTokensError();

}

link to code

payload.length must remain within the MAX_PAYLOAD_LENGTH range for correct operation of the function.

payload is calculated as:

uint256[] memory payload = Protocol.requestSerialize(req);

link to code

Hence, the value of payload depends on req
req is a struct of type Request, which keeps track of the request information.

Request memory req;

req depends on the input parameter of the deposit function.

req.header = Protocol.requestHeaderV1(ctype, useAutoBurn, false);

req.hash = Protocol.requestHash(salt, collectionL1, ownerL2, ids);

// TODO: store request hash in storage to avoid replay attack.

// or can it be safe to use block timestamp? Not sure as

// several tx may have the exact same block.

req.collectionL1 = collectionL1;

req.collectionL2 = _l1ToL2Addresses[collectionL1];

req.ownerL1 = msg.sender;

req.ownerL2 = ownerL2;

link to code

payload depends on req and req in turn depends on input parameters.

req.hash = Protocol.requestHash(salt, collectionL1, ownerL2, ids);

link to code

Here, we can see the number of token ids would directly effect value of req.hash, which in turn is being used to calculate payload

Impact

So the check for payload.length should be performed before depositing into escrow. In case the payload.length exceeds the max limit the function will revert after depositing into escrow, again it will have to be withdrawn to recover the tokens.

Tools Used

Manual review

Recommendations

Perform the check on payload.length before calling _depositIntoEscrow(ctype, collectionL1, ids); so that only correct amount of tokens are deposited into escrow.

Updates

Lead Judging Commences

n0kto Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.