ArkProject: NFT Bridge

ArkProject

NFTBridge

60,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of input validation in Request struct serialization and deserialization in `Protocol.sol`

4gontuk

Summary

Vulnerability Detail

The requestSerialize() and requestDeserialize() functions in the Protocol library do not perform input validation on the lengths of arrays within the Request struct. This omission could lead to inconsistencies between the tokenIds, tokenValues, tokenURIs, and newOwners arrays, potentially causing unexpected behavior or errors during the bridging process.

In the current implementation, the functions assume that these arrays have matching lengths:

function requestSerialize(

Request memory req

)

internal

pure

returns (uint256[] memory)

{

// ... (no length validation)

offset += Cairo.uint256ArraySerialize(req.tokenIds, buf, offset);

offset += Cairo.uint256ArraySerialize(req.tokenValues, buf, offset);

offset += Cairo.cairoStringArraySerialize(req.tokenURIs, buf, offset);

offset += Cairo.uint256ArraySerialize(req.newOwners, buf, offset);

// ...

}

Impact

If these arrays have mismatched lengths, it could lead to incorrect serialization or deserialization, potentially corrupting the bridged data or causing the transaction to revert unexpectedly.

Tools Used

Manual Review

Recommendation

To mitigate this risk, it's recommended to add input validation at the beginning of both requestSerialize() and requestDeserialize() functions. This validation should ensure that all relevant arrays have matching lengths.

Add the following checks at the start of requestSerialize():

require(req.tokenIds.length == req.tokenValues.length, "Mismatched tokenIds and tokenValues lengths");

require(req.tokenIds.length == req.tokenURIs.length, "Mismatched tokenIds and tokenURIs lengths");

require(req.tokenIds.length == req.newOwners.length, "Mismatched tokenIds and newOwners lengths");

Similar checks should be added at the end of requestDeserialize() to ensure the deserialized data is consistent.

Updates

Lead Judging Commences

n0kto Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

60,000 USDC

nSLOC

2,301

26 USDC / LOC

High Medium

50,000 USDC

Low

5,500 USDC

Judges

4,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.