ArkProject: NFT Bridge
ArkProject
NFTBridge
60,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

`getWhiteListedCollections(...)` will return an array with blank items

audinarey

Summary

Bridge::getWhiteListedCollections(...) will return an array with blank items if the collection contains non whitelisted elements, the problem is that if the length of the array is used anywhere in the contract then the wrong value will be returned for whitelisted collections

Vulnerability Details

As shown in the code below,

  • on L318 the retarray has a fixed length (nbElem) of all the collections whether or not they are whitelisted and

  • on L322, only white listed collections are added to the retarray which is returned by the function

Assume

  • 6 collections

  • only 3 whitelisted

  • ret.length= 6 but there are only 3 whitelisted collections

File: Bridge.sol
314: function getWhiteListedCollections() external view returns (address[] memory) {
315: uint256 offset = 0;
316: uint256 nbElem = _collections.length;
317: // solidity doesn't support dynamic length array in memory
318: @> address[] memory ret = new address[](nbElem);
319: for (uint256 i = 0; i < nbElem ;++i) {
320: address cur = _collections[i];
321: if (_whiteList[cur]) {
322: @> ret[offset] = cur;
323: offset += 1;
324: }
325: }
326: // resize output array
327: assembly {
328: mstore(ret, offset)
329: }
330:
331: return ret;
332: }

Impact

If an external contract uses this array it could return unpredictable results due to the problematic implemtation

Tools Used

Manual review

Recommendations

Implement the function to return the correct whitelisted collection array.

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.