ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

incompliance with ERC721 standard in Request payload of `Bridge.cairo` leads to requests failures

x18a6

Summary

Vulnerability Details

  • fn erc721_metadata() always returns "" for base_uri in case of Option::Some(...), see here.

  • It's then destructured here where base_uri will be an empty string, see here.

  • Now here, it says for uris param:

// ERC721: must be empty if base_uri is provided, else length must match ids.
With the logic above, base_uri will always be an empty string i.e., uris.length must always match ids.

The problem is that new_owners is declared as an empty array, meaning it's length will always be 0 and uris.length won't match ids. The test suite fails to spot that because requests are constructed manually:

let req = Request {
header: compute_request_header_v1(ctype, use_deposit_burn_auto, use_withdraw_auto),
hash: compute_request_hash(salt, collection_l2, owner_l1, token_ids),
collection_l1,
collection_l2,
owner_l1,
owner_l2: from,
name,
symbol,
base_uri,
ids: token_ids,
values: array![].span(),
uris,
@> new_owners: array![].span(),

Sponsors also confirmed that:

Yes base_uri will always be an empty string. There is no method in Starknet ERC721 interface to retrieve base_uri.
Yes uris and ids must have the same length.

Impact

Incompliance with ERC721, the impact would be requests failures and denial of service.

Tools Used

Manual review.

Recommendations

Implement the full logic to allow uris and new_owners usage.

Updates

Lead Judging Commences

n0kto Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.