Use safeTransferFrom() instead of transferFrom() for erc721 transfers #70
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
grade-b
Q-14
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Lines of code
https://github.com/code-423n4/2022-11-looksrare/blob/e3b2c053f722b0ca2dce3a3eb06f64859b8b7a6f/contracts/TokenTransferrer.sol#L22
Vulnerability details
Impact
It is recommended to use safeTransferFrom() instead of transferFrom() when transferring ERC721.
The recipient could have logic in the onERC721Received() function, which is only triggered in the safeTransferFrom() function and not in transferFrom(). There is the potential loss of NFTs If the recipient is unable to handle the sent ERC721s.
Proof of Concept
https://github.com/code-423n4/2022-11-looksrare/blob/e3b2c053f722b0ca2dce3a3eb06f64859b8b7a6f/contracts/TokenTransferrer.sol#L22
Tools Used
Manuel Review
Recommended Mitigation Steps
Use safeTransferFrom() when sending out the NFTs.
The text was updated successfully, but these errors were encountered: