The escrow.sol
contract contains a potential reentrancy vulnerability in the _withdrawFromEscrow
function, which is indirectly exposed to external calls through the withdrawTokens
function. This could lead to multiple unauthorized withdrawals of the same token.
The _withdrawFromEscrow
function in the StarklaneEscrow contract performs token transfers before updating the escrow state. This function is called by the external withdrawTokens
function in bridge.sol
, potentially exposing it to reentrancy attacks.
Current implementation in _withdrawFromEscrow:
The vulnerability arises because the state update (_escrow[collection][id] = address(0x0);
) occurs after the token transfer, which involves an external call to the token contract.
If exploited, this vulnerability could allow an attacker to withdraw the same token multiple times before the escrow state is updated. This could lead to significant loss of assets held in escrow by the bridge contract.
Manual code review
Implement the Checks-Effects-Interactions pattern in _withdrawFromEscrow
Impact: - NFT already bridged won’t be bridgeable anymore without being stuck. Likelyhood: Low. - Attackers will corrupt their own tokens, deploying a risky contract interacting with an upgradable proxy. They have to buy and sell them without real benefits, except being mean. Some really specific and rare scenario can also trigger that bug.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.