ArkProject: NFT Bridge

Summary:

contract contains a vulnerability that can cause users to lose funds when bridging long messages from Layer 2 (L2) to Layer 1 (L1). This issue arises due to the potential for uncontrolled out-of-gas errors during the execution of the withdrawTokens function

Vulnerability Details:

1. Functionality Overview:

• The withdrawTokens function is responsible for processing withdrawal requests from L2 to L1. It deserializes the request, verifies the collection addresses, and handles the minting or transfer of tokens.

2. Payload Length Check:

• The function does not adequately check the length of the payload before processing it. While there is a constant MAX_PAYLOAD_LENGTH defined, it is only used in the depositTokens function and not in withdrawTokens.

3. Gas Consumption:

• The deserialization and subsequent processing of the request can consume a significant amount of gas, especially if the payload is large. This can lead to an out-of-gas error during execution.

4. Uncontrolled Out-of-Gas Error:

• If an out-of-gas error occurs, the transaction will revert, but the state changes made before the error will not be rolled back. This can result in tokens being locked in the contract without being transferred to the user, effectively causing a loss of funds.

Impact:

• Users attempting to withdraw tokens with large payloads may encounter failed transactions due to out-of-gas errors. This can lead to their tokens being stuck in the contract, causing a loss of access to their assets.

Tools Used:

Manual review

Recommendations:

1. Payload Length Validation:

• Implement a check in the withdrawTokens function to ensure that the payload length does not exceed a safe limit, similar to the check in the depositTokens function.

2. Gas Estimation:

• Estimate the gas required for processing the request and ensure that the transaction has sufficient gas before execution.