Open ShieldifyMartin opened 4 days ago
Could you please provide more details on how to mitigate it?
It would be very helpful if you could please add a recommended implementation.
add this check in the init_ONFT
function to the mint account to prevent using tokens with freeze authority
if mint_account.freeze_authority.is_some() {
return Err(Error::MintHasFreezeAuthority);
}
Severity
High Risk
Description
In the
init_ONft
instruction, thetoken_mint
is set without validation, allowing the initialization of atoken_mint
with afreeze_authority
. SPL tokens with a freeze authority can have their accounts frozen by the token issuer or an authorized entity, posing a risk to the functioning of the ONFT.Impact
If the
token_escrow
is frozen, it will be impossible to transfer the locked token to it, causing a Denial of Service (DoS) in thesend
instruction. This will render the ONFT unusable because token transfers to the token_escrow will revert at this point:Recommendation
token_mint
has afreeze_authority
and return an error if detected.freeze_authority
for security reasons (e.g., preventing money laundering). If the protocol wishes to support USDC or similar tokens, implement an allowlist for trusted tokens, while applying strict checks on others.