The unwrapETH2LD use transferFrom instead of safeTransferFrom to transfer ERC721 token
#157
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Comments
code423n4
added
2 (Med Risk)
This was referenced Jul 22, 2022
jefflau
added
disagree with severity
|
transfer is to the contract itself, so there is no point in using |
This was referenced Jul 27, 2022
Closed
That's incorrect in the report above. This is transferring from, not to, the contract itself. |
jefflau
added
the
sponsor confirmed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-07-ens/blob/ff6e59b9415d0ead7daf31c2ed06e86d9061ae22/contracts/wrapper/NameWrapper.sol#L327-L346
Vulnerability details
Impact
The
unwrapETH2LDusetransferFromto transfer ERC721 token, thenewRegistrantcould be an unprepared contractProof of Concept
Should a ERC-721 compatible token be transferred to an unprepared contract, it would end up being locked up there. Moreover, if a contract explicitly wanted to reject ERC-721 safeTransfers.
Plus take a look to the OZ safeTransfer comments;
Usage of this method is discouraged, use safeTransferFrom whenever possible.Tools Used
Manual Review
Recommended Mitigation Steps
function unwrapETH2LD( bytes32 labelhash, address newRegistrant, address newController ) public override onlyTokenOwner(_makeNode(ETH_NODE, labelhash)) { _unwrap(_makeNode(ETH_NODE, labelhash), newController); - registrar.transferFrom( + registrar.safeTransferFrom( address(this), newRegistrant, uint256(labelhash) ); }The text was updated successfully, but these errors were encountered: