Risk of DoS in whitelistCollecion() because of thousands of vague messaged spammed from L2 bridge
Summary
The L2 bridge.cairo depostitokens() doesn't check if empty array of tokenid can be sent or not, but it is the case the bridge allows to deposit for empty token_id array. Also when whitelisting is disabled, any L2 collection can be bridge to L1. Combined with empty token array and any L2 collection can be bridge. The L2 bridge creates a scenairo where thousands of vauge messages can be sent to L1.
Vulnerability Details
Attacker can deploy very basic L2 collection which have necessary name() and symbol() function to pass the checks in deposittoken() erc_metadata() and skipt the NFT transfer due to array size zero and spam the L1 bridge with thousands of messages.
On L1 side the message is consumed, since l1req is zero and also l1mapping is zero so a new collection is deployed everey time and it is whitelisted which increases colleciton array size.
Impact
Dos in whitelistCollection()
Tools Used
Recommendations
Lead Judging Commences
invalid-empty-tokenIds-starknet-side
No real impact. Attacker will have to pay the deployment of the new contract even with 0 token, and it won’t have any interest do to that since he won’t take the control of the contract.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.