Starknet request cancellation has onlyOwner
Summary
startRequestCancellation has an onlyOwner modifier and will lead to prolonged periods of blocked NFTs in case bridging to Starknet fails.
Vulnerability Details
The issue is marked as fixed in the private audit (M-04) but it still persists:
Disabling users from unblocking their NFTs can cause various issues, especially if the NFT is rented for some time. Having the onlyOwner means that no one except the admin can initiate cancellation and that’s why tokens will be blocked for extended periods of time, even more when there are a lot of requests from the users to the admin to start their cancelations.
Impact
Users can’t start their request cancelations and should rely on the admin to call startRequestCancellation in a timely manner.
Tools Used
Manual Review
Recommendations
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.