Possible loss of funds for users
Summary
Possible loss of funds for users up to 1 ether
Vulnerability Details
The starknet bridge implements a messaging fees on L1 as an incetive for handling messages to starknet chain https://docs.starknet.io/architecture-and-concepts/network-architecture/messaging-mechanism/#l1-l2-message-fees this fees are allowed to go as high as 1 ether but can also be as low as just above 0 ether https://github.com/Cyfrin/2024-07-ark-project/blob/273b7b94986d3914d5ee737c99a59ec8728b1517/apps/blockchain/ethereum/lib/starknet/StarknetMessaging.sol#L131-L132
so the protocol should implement a maximum msg.value let's say 0.0001 ether to protect it's user from paying thousands of dollars uneccesarily as the transaction will still succeed regardless, also when messages are sent to L2 and it couldn't get processed hence requires cancellation, eth is not refunded so users that paid 1 eth and transaction failed will not get back that lost funds and transaction won't still get processed.
Impact
Possible loss of funds for users
Tools Used
Manual Review
Recommendations
protocol should implement a maximum msg.value let's say 0.0001 ether in the bridge deposit function.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Appeal created
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.