Use safeTransferFrom instead of transferFrom for IERC721 transfers #40
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/lowLevelCallers/LowLevelERC721Transfer.sol#L21
Vulnerability details
Impact
The transferFrom() method is used instead of safeTransferFrom(), presumably to save gas. I however argue that this isn’t recommended because:
OpenZeppelin’s documentation discourages the use of transferFrom(), use safeTransferFrom() whenever possible
Given that any NFT can be used for the call option, there are a few NFTs that have logic in the onERC721Received() function, which is only triggered in the safeTransferFrom() function and not in transferFrom()
Proof of Concept
code-423n4/2022-05-cally-findings#38 (comment)
Tools Used
Manual
Recommended Mitigation Steps
Call the safeTransferFrom() method instead of transferFrom() for NFT transfers. Note that the looksrare contract should inherit the ERC721TokenReceiver contract as a consequence.
The text was updated successfully, but these errors were encountered: