Use safeTransferFrom instead of transferFrom for ERC721 transfers #434
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
grade-c
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Comments
code423n4
added
2 (Med Risk)
|
Not Med-severity impact without additional evidence. |
c4-judge
added
downgraded by judge
|
trust1995 changed the severity to QA (Quality Assurance) |
c4-judge
added
grade-c
unsatisfactory
|
trust1995 marked the issue as grade-c |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Lines of code
https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-omnichain/VirtualAccount.sol#L36-L37
Vulnerability details
Impact
In the function withdrawERC721 of contract VirtualAccount, when transferring ERC721 tokens to the recipient, the transferFrom keyword is used instead of safeTransferFrom. If the recipient is a contract and is not capable of handling ERC721 tokens, the sent tokens could be locked.
Proof of Concept
When the function transferFrom is used for transferring ERC721 token , there is no way of checking if the recipient address has capability to handle incoming ERC721 token. If there is no checking, the transaction will push through and the ERC721 token will be locked in the recipient contract address.
https://github.com/code-423n4/2023-05-maia/blob/main/src/ulysses-omnichain/VirtualAccount.sol#L36-L37
Similar issue:
code-423n4/2022-05-cally-findings#38
Tools Used
Manual Review
Recommended Mitigation Steps
Call the safeTransferFrom() method instead of transferFrom() for NFT transfers. This call will revert if the onERC721Received function is not implemented in the receiving contract, not allowing an incompatible contract to exercise the option.
Assessed type
ERC721
The text was updated successfully, but these errors were encountered: