ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

The `token_ids` array is not fully validated, which may lead to batch transactions with empty arrays

taiger4526

Summary

The token_ids array is not fully validated, which may lead to batch transactions with empty arrays

Vulnerability Details

https://github.com/Cyfrin/2024-07-ark-project/blob/main/apps/blockchain/starknet/src/bridge.cairo#L402

In the deposit_tokens method, if token_ids is passed an empty array, the code will continue to execute and trigger the DepositRequestInitiated event, even if no actual tokens are in custody. Although a single empty array transaction has little direct impact on the system, a malicious user can send empty array transactions in batches to continuously trigger events, causing increased load on the blockchain network.

Batch empty array transactions: Due to the lack of checks on whether the token_ids array is empty, malicious users can send empty array requests in batches and repeatedly trigger contract events.
Event Abuse: Each empty array request triggers the DepositRequestInitiated event, although there is no actual token transfer. This may cause the on-chain event log to be polluted and increase the network burden.
Resource Waste: Batch empty array transactions will occupy on-chain resources, increase processing time and cost, and may affect the execution of other valid transactions.

Impact

Increased network load: Malicious users can increase network load and affect the overall performance of the blockchain by sending a large number of empty array requests.
Event log pollution: Triggering a large number of invalid events will make the on-chain logs messy and increase the difficulty of auditing and monitoring.
Resource consumption: Batch empty array transactions will waste on-chain computing and storage resources, which may lead to unnecessary on-chain fees.

Tools Used

VSCode

Recommendations

Add empty array check: In the deposit_tokens method, add a check to see if token_ids is empty. If the array is empty, stop the operation immediately and return an error message.
Limit batch transactions: Add restrictions on batch transactions in the contract, such as limiting the transaction frequency of each account or setting a maximum transaction amount to reduce the risk of abuse.
Optimize event triggering logic: Before triggering an event, ensure that actual tokens are in custody. If no tokens are transferred, the event should not be triggered.

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

invalid-empty-tokenIds-starknet-side

No real impact. Attacker will have to pay the deployment of the new contract even with 0 token, and it won’t have any interest do to that since he won’t take the control of the contract.

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.