ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

NFT withdraw is allowed by calling cancelRequest even when the bridge is not enabled

asefewwexa

Title

NFT withdraw is allowed by calling cancelRequest even when the bridge is not enabled

Line of code

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L243

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L160

Vulnerability Details

The function Starklane::withdrawTokens() is used to withdraw tokens received from L2. It validates if the bridge is enabled or not.

function withdrawTokens(
uint256[] calldata request
)
external
payable
returns (address)
{
@> if (!_enabled) {
revert BridgeNotEnabledError();
}
...
...
}

But the issue is in the function Starklane::cancelRequest() it doesn't validate if the bridge is enabled or not.

function cancelRequest(
uint256[] memory payload,
uint256 nonce
) external {
...
...
}

Impact

The function Starklane::cancelRequest() is used to cancel a request

Tools Used

Manual Review

Recommendations

We recommend adding the following line the function Starklane::cancelRequest().

function cancelRequest(
uint256[] memory payload,
uint256 nonce
) external {
+ if (!_enabled) {
+ revert BridgeNotEnabledError();
+ }
...
...
}
Updates

Lead Judging Commences

n0kto Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

invalid-cancel-when-bridge-disable

Technically, if you cancel a message, the token is not really bridged. If you can withdraw, it means that the token has already been bridged. Those two funtions do not have to be disable when the bridge is. Moreover nothing should prevent users to get back their NFT.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.