Bridging too many nft from `Starknet` to `Mainnet` can cause out of gas error in Mainnet and no more nft can be bridged.
Title
Bridging too many nft from Starknet to Mainnet can cause out of gas error in Mainnet and no more nft can be bridged.
Line of code
Vulnerability Details
It is possible for user to bridge nft from Starknet to Ethereum directly. On L1, the function _whiteListCollection() will be called.
Then if collectionL1 is address(0) it means that the first time the starknet nft is bridged from L2 to L1 and for every bridge transaction the first time the starknet nft is bridged from L2 to L1, then the code aims to whitelist the collection after deploying the NFT if we see the function StarkLane::_whiteListCollection()
Now, It would requires looping over all the collection array and push one element to the collection array. Then eventually this for loop will become unbounded and running out of gas and block user from finalize withdraw in L1. But user's NFT is already in Starknet, then it result in loss of fund.
Impact
Due to unbounded loop of whitelisted collection addresses, the user's NFT will be stuck in Starknet due to DOS of the function.
basically the malicious attacker can keep minting and bridging a lot a lot of worthless nft to grow the collection array size to block user bridging and make user's NFT withdraw request not able to finalize which cause loss of fund.
Tools Used
Manual Review
Recommendations
We recommend to change the design logic of adding the _whiteListCollection addresses.
Lead Judging Commences
finding-collections-always-withelisted-on-both-chain-withdraw-impossible-collections-array-will-be-OOG
Likelyhood: High, once the whitelist option is disabled, collections will grow. Impact: High, withdraw won’t be possible because of Out-Of-Gas.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.