Potential Reentrancy Vulnerability in `Bridge.sol`
Summary
The escrow.sol contract contains a potential reentrancy vulnerability in the _withdrawFromEscrow function, which is indirectly exposed to external calls through the withdrawTokens function. This could lead to multiple unauthorized withdrawals of the same token.
Vulnerability Details
The _withdrawFromEscrow function in the StarklaneEscrow contract performs token transfers before updating the escrow state. This function is called by the external withdrawTokens function in bridge.sol, potentially exposing it to reentrancy attacks.
Current implementation in _withdrawFromEscrow:
The vulnerability arises because the state update (_escrow[collection][id] = address(0x0);) occurs after the token transfer, which involves an external call to the token contract.
Impact
If exploited, this vulnerability could allow an attacker to withdraw the same token multiple times before the escrow state is updated. This could lead to significant loss of assets held in escrow by the bridge contract.
Tools used
Manual code review
Recommendations
Implement the Checks-Effects-Interactions pattern in _withdrawFromEscrow
Lead Judging Commences
finding-withdraw-reentrancy-creates-unbridgeable-tokens
Impact: - NFT already bridged won’t be bridgeable anymore without being stuck. Likelyhood: Low. - Attackers will corrupt their own tokens, deploying a risky contract interacting with an upgradable proxy. They have to buy and sell them without real benefits, except being mean. Some really specific and rare scenario can also trigger that bug.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.