NFTBridge
60,000 USDC
View results
Submission Details
Severity: medium
Valid

Underpaid deposit transaction will never be relayed and result in loss of nft.

Title

Underpaid deposit transaction will never be relayed and result in loss of nft.

Line of code

https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/src/Bridge.sol#L137

Vulnerability Details

From the starknet documentation:
https://docs.starknet.io/architecture-and-concepts/network-architecture/messaging-mechanism/#l1-l2-message-fees

An L1 → L2 message induces a transaction on L2, which, unlike regular transactions, is not sent by an account. This calls for a different mechanism for paying the transaction’s fee, for otherwise the sequencer has no incentive of including L1 handler transactions inside a block.

and From Cairo Language Documentation
https://book.cairo-lang.org/ch16-04-L1-L2-messaging.html#cairo-serde

It's important to note that we have {value: msg.value}. In fact, the minimum value we've to send here is 20k wei, due to the fact that the StarknetMessaging contract will register the hash of our message in the storage of Ethereum.

In addition to those 20k wei, since the L1HandlerTransaction executed by the sequencer is not tied to any account (the message originates from L1), you must also ensure that you pay enough fees on L1 for your message to be deserialized and processed on L2.

Now if we look at the Starklane::depositTokens(), it used to deposit token in escrow and initiates the transfer to Starknet.

function depositTokens(
uint256 salt,
address collectionL1,
snaddress ownerL2,
uint256[] calldata ids,
bool useAutoBurn
)
external
payable
{
...
...
@> IStarknetMessaging(_starknetCoreAddress).sendMessageToL2{value: msg.value}(
snaddress.unwrap(_starklaneL2Address),
felt252.unwrap(_starklaneL2Selector),
payload
);
emit DepositRequestInitiated(req.hash, block.timestamp, payload);
}

But there is no validation to ensure this msg.value is paid enough when deposit the NTF and send the message out. An under-paid message will result in stuck of nft.

Impact

Loss of user's NFT due to not supplying enough gas for cross chain transfer.

Tools Used

Manual Review

Recommendations

We recommend to check if the user has sent enough which should not be lesser than is 20k wei.

Updates

Lead Judging Commences

n0kto Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-not-enough-fee-can-block-NFT

Impact: Medium/High. Need an admin to start a cancellation and wait for 5 days once done. DoS > 5 days. Likelyhood: Low. Everytime a wallet/or a user do not send enough gas

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.