Owner of project NFT has no purpose #413
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
valid
Lines of code
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/HomeFi.sol#L225
Vulnerability details
Owner of project NFT has no purpose
Impact
Creating a new project mints a NFT to the
_sender
(builder). Thebuilder
of a project has special permissions and is required to perform various tasks.However, if the minted NFT is transferred to a different address, the
builder
of a project stays the same and the new owner of the transferred NFT has no purpose and no permissions to access authorized functions in Rigor.If real-world use-cases require a change of the
builder
address, there is currently no way to do so. Funds could be locked in the project contract if the currentbuilder
address is unable to perform any more actions.Proof of Concept
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/HomeFi.sol#L225
Tools Used
Manual review
Recommended mitigation steps
Consider preventing transferring the project NFT to a different address for now as long as there is no use-case for the NFT owner/holder or use the actual NFT owner as the
builder
of a project.The text was updated successfully, but these errors were encountered: