It's possible to input ERC20 token address while set tokenType == TokenType.ERC721.
Proof of Concept
Alice input:
Address token = 0xExampleERC20address
TokenType tokenType = TokenType.ERC721
The function won't throw any error or message to inform that the tokenType inputed is wrong tokenType. And it also will execute ERC20(vault.token).transferFrom() function although it was assigned as ERC721 token. It's possible because the address is a ERC20 token address (in this case), and the transferFrom() both in ERC20 & ERC721 has the same ABI. Therefore it also possible in some case, user inputing their tokenId (ERC721 third argument in safeTransfer()) as an amount (ERC20)
Lines of code
https://github.com/code-423n4/2022-05-cally/blob/main/contracts/src/Cally.sol#L158-L201
Vulnerability details
Impact
It's possible to input ERC20 token address while set tokenType ==
TokenType.ERC721
.Proof of Concept
Alice input: Address token = 0xExampleERC20address TokenType tokenType = TokenType.ERC721
The function won't throw any error or message to inform that the
tokenType
inputed is wrong tokenType. And it also will execute ERC20(vault.token).transferFrom() function although it was assigned as ERC721 token. It's possible because the address is a ERC20 token address (in this case), and thetransferFrom()
both in ERC20 & ERC721 has the same ABI. Therefore it also possible in some case, user inputing theirtokenId
(ERC721 third argument insafeTransfer()
) as anamount
(ERC20)Tools Used
Manual review