adminApprove will not work #117
Labels
1 (Low Risk)
Assets are not at risk. State handling, function incorrect as to spec, issues with comments
bug
Something isn't working
resolved
Finding has been patched by sponsor (sponsor pls link to PR containing fix)
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Handle
pauliax
Vulnerability details
Impact
function adminApprove intends to allow an admin to approve NFTs on behalf of users:
However, when it calls .approve, it will check the ownership again, so only the calls from admin and owner/approved will pass: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC721/ERC721.sol#L116-L119
This makes this function ineffective.
Recommended Mitigation Steps
Based on my understanding, it should call ._approve(...).
The text was updated successfully, but these errors were encountered: