ArkProject: NFT Bridge

Summary

The StarklaneEscrow contract contains a vulnerability where if a different user deposits the same token ID for ERC-1155 tokens, the original depositor's ownership is overwritten. This leads to the loss of the initial depositor's ownership record, which could result in disputes or unintended loss of assets.

Vulnerability Details

The _depositIntoEscrow function handles the deposit of ERC-721 and ERC-1155 tokens into escrow. However, the current implementation does not account for the scenario where the same token ID of an ERC-1155 token is deposited by a different user. When this occurs, the mapping _escrow[collection][id] is updated to reflect the new depositor, effectively erasing the record of the original depositor.

This issue is particularly problematic for ERC-1155 tokens because they can represent fungible assets with multiple owners for the same token ID. The lack of a mechanism to track multiple depositors for the same token ID could lead to the original depositor losing their claim to the token if another user deposits the same ID.

This assignment does not check if the token ID is already in escrow by another user, leading to the overwriting of the depositor's address.

Impact

The impact of this vulnerability is high, especially for contracts dealing with ERC-1155 tokens. The original depositor can lose their ownership record, leading to potential loss of assets or legal disputes. In a worst-case scenario, the depositor could lose valuable tokens if the system does not recognize their claim when they attempt to withdraw their assets.

Tools Used

Recommendations

Implement a mechanism to track multiple depositors for the same ERC-1155 token ID. This could involve maintaining a list of depositors for each token ID or using a different structure that supports multiple owners for the same token ID.