Skip to content
This repository has been archived by the owner on Jul 21, 2024. It is now read-only.

mstpr-brainbot - Transfer and burn skips revoking previous allowance #35

Closed
sherlock-admin2 opened this issue Jan 15, 2024 · 7 comments
Closed

mstpr-brainbot - Transfer and burn skips revoking previous allowance #35

sherlock-admin2 opened this issue Jan 15, 2024 · 7 comments
Assignees
@amshirif
Labels
Non-Reward This issue will not receive a payout Sponsor Disputed The sponsor disputed this issue's validity Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Jan 15, 2024
edited by sherlock-admin
Loading

mstpr-brainbot

medium

Transfer and burn skips revoking previous allowance

Summary

When a token is transferred, burned, or minted, the allowance is not reset as it is in a typical ERC721.

Vulnerability Detail

The CouncilMember NFT contract uses a different storage variable to track allowances than ERC721 does.
https://github.com/sherlock-audit/2024-01-telcoin/blob/0954297f4fefac82d45a79c73f3a4b8eb25f10e9/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L46

Governance can give an allowance to any token ID holder on behalf of anyone.
https://github.com/sherlock-audit/2024-01-telcoin/blob/0954297f4fefac82d45a79c73f3a4b8eb25f10e9/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L191-L201

When the token is transferred from one address to another, whether triggered by governance or the approver, the allowance is not reset. So, if governance transfers Alice's NFT to Bob, Alice's NFT's approved target is the same for Bob too. This is not inconsistent with typical ERC721 behavior.

Also, not only for transfers but burns should also revoke the allowance. If governance burns the NFT without revoking the allowances then revoking the burnt NFT's allowance is impossible due to the ownerOf() check inside the event
https://github.com/sherlock-audit/2024-01-telcoin/blob/0954297f4fefac82d45a79c73f3a4b8eb25f10e9/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L200

Impact

Since allowance can be given by governance to any arbitrary address transferring an nft could cause problems if the previous allowed target can act maliciously. Since this is fully governance controlled I'll label this as medium rather than a high.

Code Snippet

https://github.com/sherlock-audit/2024-01-telcoin/blob/0954297f4fefac82d45a79c73f3a4b8eb25f10e9/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L191-L201

https://github.com/sherlock-audit/2024-01-telcoin/blob/0954297f4fefac82d45a79c73f3a4b8eb25f10e9/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L46

https://github.com/sherlock-audit/2024-01-telcoin/blob/0954297f4fefac82d45a79c73f3a4b8eb25f10e9/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L200

Tool used

Manual Review

Recommendation

Inside _update revoke the current allowance
@amshirif amshirif self-assigned this Jan 16, 2024
@amshirif
Copy link

https://github.com/telcoin/telcoin-audit/pull/33

@amshirif amshirif added Medium A valid Medium severity issue Disagree With Severity The sponsor disputed the severity of this issue Will Fix The sponsor confirmed this issue will be fixed Sponsor Disputed The sponsor disputed this issue's validity and removed Medium A valid Medium severity issue Disagree With Severity The sponsor disputed the severity of this issue labels Jan 16, 2024
@amshirif
Copy link

Not sure how to label this one. The issue mentioned is not actually an issue. However it did reveal that some way to remove approvals. The reason it's not an issue is because approvals should be maintained between owners. The approvals are for specific addresses who have some level of ownership of the council seat.

@github-actions github-actions bot added Medium A valid Medium severity issue Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels Jan 19, 2024
This was referenced Jan 19, 2024
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@sherlock-admin2
Copy link
Contributor Author

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid because { This is invalid because transfer is not allow; admin dosnt need to approve a user thats the main thing behind overridden it to allow approval only in case of emergnecy or something}

@nevillehuang
Copy link
Collaborator

request poc

@sherlock-admin2
Copy link
Contributor Author

PoC requested from @mstpr

Requests remaining: 12

@nevillehuang nevillehuang removed the Medium A valid Medium severity issue label Jan 29, 2024
@sherlock-admin sherlock-admin changed the title Cool Raspberry Rook - Transfer and burn skips revoking previous allowance mstpr-brainbot - Transfer and burn skips revoking previous allowance Jan 29, 2024
@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Has Duplicates A valid issue with 1+ other issues describing the same vulnerability labels Jan 29, 2024
@sherlock-admin
Copy link
Contributor

The protocol team fixed this issue in PR/commit https://github.com/telcoin/telcoin-audit/pull/33.

@sherlock-admin
Copy link
Contributor

The Lead Senior Watson signed off on the fix.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@amshirif amshirif

Labels
Non-Reward This issue will not receive a payout Sponsor Disputed The sponsor disputed this issue's validity Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@amshirif @nevillehuang @sherlock-admin @sherlock-admin2