Missing user input sanitation in L1-L2 could lead to the loss of ERC721 tokens.
Summary
The user can lead the NFTs to be transferred to a null address. Both from L1 to L2 and L2 to L1 depositTokens functions lack the null address or zero address check.
Vulnerability Details
The L1 depositTokens function has the sanity check for a valid starknet address but not for a null address and vice-versa for L2. As both functions are external user input sanitation lacks where neither L1 checks before making the transfer and nor L2 makes before minting the token. Furthermore, if the user tries to deliberately send the tokens to a null address, the bridge should stop the potential burn as this kind of functionality is not in the bridge principle or feature.
depositToken in Starknet (L2)
depositToken in Ethereum (L1)
Test cases written for the sanity of valid starknet address can be modified to pass the valid L2 zero address.
https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/test/Cairo.t.sol#L17-L21
Impact
NFTs/ERC721 sent to the null address are lost permanently and lost for the user. Likelihood minimum and impact high.
Tools Used
Manual
Recommendations
Add checks for null addresses on both sides of the deposit function and keep an equal number of validations too.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.