Open code423n4 opened 3 years ago
This is the intended behavior if I'm reading the issue correctly. The to address may want to execute a trade, if they have approved msg.sender they implicitly trust them. There are cases where the to
address is a market maker and they need to execute a trade after receiving fCash.
per sponsor comment, making this invalid
Handle
cmichel
Vulnerability details
Vulnerability Details
The
ERC1155._checkPostTransferEvent
function allows thefrom
address to specify trades that are executed by theto
address ifto
approvedmsg.sender
.Impact
An approved account can execute arbitrary batch actions on behalf of the approver, like trading their accounts funds and withdrawing. It's not clear if this is the expected behavior. One might expect to only give control over the
ERC1155
controlled tokens, not over their entire Notional account and portfolio.Recommended Mitigation Steps
Check if the approval behavior works correctly, and document the risks that come with approving an account.