You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The fulfill function performs a safeTransferFrom invocation on an ERC-721 token which notifies the recipient of the transfer. In case the recipient of the transfer is a smart contract, the recipient will be able to re-enter the contract and potentially set the same ID as fulfilled twice and emit a corresponding event as well as generally cause an incorrect state transition of the system.
We advise re-entrancy to be prohibited here by either introducing the nonReentrant modifier of OpenZeppelin throughout the codebase, simply performing a transferFrom instead of a safeTransferFrom as both transfers are safely done despite what their name implies, or re-order the statements to perform the transfer at the bottom of the function. We should note that if transferFrom is used, the recipient is expected to be ERC-721 aware as otherwise the tokens transmitted could be permanently lost.
The text was updated successfully, but these errors were encountered:
TNT-01M: Improper State Re-Entrancy
Description:
The
fulfill
function performs asafeTransferFrom
invocation on an ERC-721 token which notifies the recipient of the transfer. In case the recipient of the transfer is a smart contract, the recipient will be able to re-enter the contract and potentially set the same ID as fulfilled twice and emit a corresponding event as well as generally cause an incorrect state transition of the system.Example:
Recommendation:
We advise re-entrancy to be prohibited here by either introducing the
nonReentrant
modifier of OpenZeppelin throughout the codebase, simply performing atransferFrom
instead of asafeTransferFrom
as both transfers are safely done despite what their name implies, or re-order the statements to perform the transfer at the bottom of the function. We should note that iftransferFrom
is used, the recipient is expected to be ERC-721 aware as otherwise the tokens transmitted could be permanently lost.The text was updated successfully, but these errors were encountered: