ArkProject: NFT Bridge

Summary:

The withdrawTokens function in the contract does not explicitly verify the ownership of NFTs before allowing their withdrawal. This oversight can lead to unauthorized withdrawals, where a malicious actor could potentially withdraw NFTs they do not own.

Vulnerability Details:

1. Absence of Ownership Verification:

• The function processes the withdrawal based on the deserialized request without checking if the msg.sender is the legitimate owner of the NFTs being withdrawn.

• The function relies on the Protocol.requestDeserialize method to reconstruct the request but does not validate the ownership of the NFTs specified in the request.
  Token Withdrawal Loop:

Ownership Verification:

The function retrieves the token ID from the req.tokenIds array.
It then attempts to withdraw the token from escrow using the _withdrawFromEscrow method.
If the token was not escrowed, it mints a new one using IERC721Bridgeable(collectionL1).mintFromBridge(req.ownerL1, id).
However, there is no explicit ownership check within this loop or elsewhere in the code snippet that verifies whether the req.ownerL1 is the rightful owner of the NFT being withdrawn.

2. Potential Exploit Scenario:

• A malicious actor could craft a request with token IDs they do not own and call the withdrawTokens function.

• Since there is no ownership check, the contract would process the withdrawal, allowing the malicious actor to gain control of NFTs they do not legitimately own.

Impact:

• Unauthorized access and transfer of NFTs.

• Loss of assets for legitimate NFT owners.

• Potential legal and financial repercussions for the platform.

Tools Used:

Manual review

Recommendations:

Implement an explicit ownership check within the withdrawTokens function to ensure that only the legitimate owner of the NFTs can initiate their withdrawal. This can be achieved by verifying the msg.sender against the owner information stored in the contract or by using the NFT contract's ownership verification methods.