Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Use safeTransferFrom for ERC721 #136

Closed
code423n4 opened this issue May 13, 2022 · 1 comment
Closed

Use safeTransferFrom for ERC721 #136

code423n4 opened this issue May 13, 2022 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-05-cally/blob/main/contracts/src/Cally.sol#L199
https://github.com/code-423n4/2022-05-cally/blob/main/contracts/src/Cally.sol#L295
https://github.com/code-423n4/2022-05-cally/blob/main/contracts/src/Cally.sol#L344

Vulnerability details

Use safeTransferFrom for ERC721

In the contract Cally.sol every transfer of ERC721 are done with the transferFrom() instead of the recommended safeTransferFrom(). This transferFrom() does not check, whether the receiver is capable of proper handling of NFTs.

Impact

If the buyers of a call option with a ERC721 collateral is a smart contract (could be a multisig wallet) which does not implement the onERC721Received and do not have proper handling of ERC721 tokens, then the NFT would be lost if the option is exercised.

Proof of concept

  1. Alice creates a vault with a BAYC NFT

  2. SomeDAO choose to buy the call option from their multisig wallet

  3. SomeDAO exercises the option when there is a change of making a profit

  4. The BAYC NFT is transferred to SomeDAO’s multisig wallet, but by a mistake the wallet does not support handling of ERC721 tokens.

  5. SomeDAO have no way of retrieving the BAYC NFT, and has hence paid for a NFT they cannot get.

Even though the scenario is unlikely, and it would be the users own fault, there is no doubt that when it requires so small an effort, it makes sense to make it impossible to do this rooky mistake.

A similar issue was also scored as a medium see here.

The relevant code:

L199, L295, and L344.

Recommended mitigation

It is recommended to use the safe version safeTransferFrom() since this will require the receiving contract to implement IERC721Receiver.onERC721Received
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels May 13, 2022
code423n4 added a commit that referenced this issue May 13, 2022
@code423n4
FSchmoede issue #136
480c14d
@outdoteth outdoteth added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label May 15, 2022
@outdoteth
Copy link
Collaborator

use safeTransferFrom to prevent stuck NFTs: #38

@outdoteth outdoteth added the duplicate This issue or pull request already exists label May 15, 2022
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@outdoteth @code423n4