NFTBridge
60,000 USDC
View results
Submission Details
Severity: medium
Invalid

Potential Reentrancy Vulnerability in `Bridge.sol`

Summary

The escrow.sol contract contains a potential reentrancy vulnerability in the _withdrawFromEscrow function, which is indirectly exposed to external calls through the withdrawTokens function. This could lead to multiple unauthorized withdrawals of the same token.

Vulnerability Details

The _withdrawFromEscrow function in the StarklaneEscrow contract performs token transfers before updating the escrow state. This function is called by the external withdrawTokens function in bridge.sol, potentially exposing it to reentrancy attacks.

Current implementation in _withdrawFromEscrow:

function _withdrawFromEscrow(
CollectionType collectionType,
address collection,
address to,
uint256 id
)
internal
returns (bool)
{
if (!_isEscrowed(collection, id)) {
return false;
}
address from = address(this);
if (collectionType == CollectionType.ERC721) {
IERC721(collection).safeTransferFrom(from, to, id);
} else {
IERC1155(collection).safeTransferFrom(from, to, id, 1, "");
}
_escrow[collection][id] = address(0x0);
return true;
}

The vulnerability arises because the state update (_escrow[collection][id] = address(0x0);) occurs after the token transfer, which involves an external call to the token contract.

Impact

If exploited, this vulnerability could allow an attacker to withdraw the same token multiple times before the escrow state is updated. This could lead to significant loss of assets held in escrow by the bridge contract.

Tools used

Manual code review

Recommendations

Implement the Checks-Effects-Interactions pattern in _withdrawFromEscrow

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality
Assigned finding tags:

finding-withdraw-reentrancy-creates-unbridgeable-tokens

Impact: - NFT already bridged won’t be bridgeable anymore without being stuck. Likelyhood: Low. - Attackers will corrupt their own tokens, deploying a risky contract interacting with an upgradable proxy. They have to buy and sell them without real benefits, except being mean. Some really specific and rare scenario can also trigger that bug.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.