ERC721 Lockup Risk: Absence of L2 Rollback Pathway in Deposit Operations
Summary
After deposit_tokens on L2, there is a lack of a mechanism to cancel the operation, which may lead to ERC721 tokens being locked within the system.
Vulnerability Details
When transitioning from L2 to L1, users transfer ERC721 tokens to the L2 Bridge through deposit_tokens. However, the contract lacks functions for canceling or transferring these ERC721 tokens once deposited. This means if the protocol encounters problems—such as the L1 Bridge not being enabled, or COLL_L1 not being whitelisted—these assets may become locked within the contract, potentially becoming irretrievable. Furthermore, if tokens cannot be claimed on the L1 side, users cannot trigger the withdraw_auto_from_l1 with is_escrowed set to true by sending a message to L2.
Impact
User assets could be indefinitely locked within the contract. This presents a critical risk where users might permanently lose access to their valuable ERC721 tokens if unresolved, leading to distrust in the platform's reliability.
Tools Used
Manual Review
Recommendations
Implement a cancelation mechanism on L2 similar to the one on L1, enabling tokens to be returned to their original owners. It is essential to differentiate between ERC721 tokens that have already been moved to L1 and those that haven't. Tokens claimed on L1 should not be returned on L2.
Lead Judging Commences
invalid-no-L2-cancel-mecanism-without-any-root-cause
Lack of feature is not a bug. Moreover that’s more something that the Starknet Core should implement since there is no way for Ark to have trusted data, preventing double spending. Finally, there is no real root cause in those reports, only suppositions that something bad can happen.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.