jeffywu
commented
3 years ago This is the intended behavior if I'm reading the issue correctly. The to address may want to execute a trade, if they have approved msg.sender they implicitly trust them. There are cases where the to address is a market maker and they need to execute a trade after receiving fCash.
ghoul-sol
Handle
cmichel
Vulnerability details
Vulnerability Details
The
ERC1155._checkPostTransferEventfunction allows thefromaddress to specify trades that are executed by thetoaddress iftoapprovedmsg.sender.Impact
An approved account can execute arbitrary batch actions on behalf of the approver, like trading their accounts funds and withdrawing. It's not clear if this is the expected behavior. One might expect to only give control over the
ERC1155controlled tokens, not over their entire Notional account and portfolio.Recommended Mitigation Steps
Check if the approval behavior works correctly, and document the risks that come with approving an account.