Use safeTransferFrom instead of transferFrom for IERC721 transfers #39
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Comments
code423n4
added
2 (Med Risk)
c4-judge
added
the
unsatisfactory
|
Picodes marked the issue as unsatisfactory: |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Lines of code
https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/lowLevelCallers/LowLevelERC20Transfer.sol#L24
Vulnerability details
Impact
The transferFrom() method is used instead of safeTransferFrom(), presumably to save gas. I however argue that this isn’t recommended because:
OpenZeppelin’s documentation discourages the use of transferFrom(), use safeTransferFrom() whenever possible
Given that any NFT can be used for the call option, there are a few NFTs that have logic in the onERC721Received() function, which is only triggered in the safeTransferFrom() function and not in transferFrom()
Proof of Concept
code-423n4/2022-05-cally-findings#38 (comment)
Tools Used
Manual
Recommended Mitigation Steps
Call the safeTransferFrom() method instead of transferFrom() for NFT transfers. Note that the looksrare contract should inherit the ERC721TokenReceiver contract as a consequence.
The text was updated successfully, but these errors were encountered: