BondNFT.sol and GovNFT.sol: safeTransferMany should call a safe function #29
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-356
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/BondNFT.sol#L282
https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/GovNFT.sol#L245
Vulnerability details
Impact
The
BondNFT
andGovNFT
contracts provide asafeTransferMany
function:BondNFT.safeTransferMany
: https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/BondNFT.sol#L282GovNFT.safeTransferMany
: https://github.com/code-423n4/2022-12-tigris/blob/496e1974ee3838be8759e7b4096dbee1b8795593/contracts/GovNFT.sol#L245The issue is that both of these functions are not actually "safe".
"safe" in the context of an ERC721 means that if the receiver of a token transfer is a contract, it must implement the
onERC721Received
function.The contract signals by implementing it that it can handle ERC721 transfers.
So in this case it is misleading that the functions are labelled "safe" but are not actually "safe".
Especially since
BondNFT.safeTransferFromMany
andGovNFT.safeTransferFromMany
are indeed "safe" since they callsafeTransferFrom
internally whereas thesafeTransferMany
functions call_transfer
internally. So I believe this is just an oversight that occurred while coding and thesafeTransferMany
functions should call a "safe" function internally as well.Since it looks like the
safeTransferMany
functions are safe when indeed they are not, tokens can be transferred to a contract that cannot handle ERC721s, thereby the tokens are lost.Proof of Concept
BondNFT.safeTransferMany
, he thinks it is first checked whether the contract implementsonERC721Received
since "safe" has this meaning for ERC721 transfers.onERC721Received
and cannot handle ERC721s. The tokens are lost.Tools Used
VSCode
Recommended Mitigation Steps
In
BondNFT.safeTransferMany
andGovNFT.safeTransferMany
, change the lineto
The text was updated successfully, but these errors were encountered: