The unwrapETH2LD
use transferFrom
instead of safeTransferFrom
to transfer ERC721 token
#157
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Lines of code
https://github.com/code-423n4/2022-07-ens/blob/ff6e59b9415d0ead7daf31c2ed06e86d9061ae22/contracts/wrapper/NameWrapper.sol#L327-L346
Vulnerability details
Impact
The
unwrapETH2LD
usetransferFrom
to transfer ERC721 token, thenewRegistrant
could be an unprepared contractProof of Concept
Should a ERC-721 compatible token be transferred to an unprepared contract, it would end up being locked up there. Moreover, if a contract explicitly wanted to reject ERC-721 safeTransfers.
Plus take a look to the OZ safeTransfer comments;
Usage of this method is discouraged, use safeTransferFrom whenever possible.
Tools Used
Manual Review
Recommended Mitigation Steps
The text was updated successfully, but these errors were encountered: