outdoteth
commented
2 years ago use safeTransferFrom to prevent stuck NFTs: https://github.com/code-423n4/2022-05-cally-findings/issues/38
Closed code423n4 closed 2 years ago
outdoteth
commented
2 years ago use safeTransferFrom to prevent stuck NFTs: https://github.com/code-423n4/2022-05-cally-findings/issues/38
Lines of code
Cally.sol#L295
Vulnerability details
Impact
The transferFrom function is used in the
createVault,withdrawand theexercisefunctions to transfer the underlying ERC721 vault asset. transferFrom sends an ERC721 asset to a receiver regardless of whether it is able to receive it or not.In the
exercisefunction, whenmsg.senderis a contract, the transferFrom function could send the underlying ERC721 asset to a contract that cannot interact with an ERC721, effectively locking it.Recommended Mitigation Steps
Consider using safeTransferFrom instead of transferFrom in the
exercisefunction. This will revert if theonERC721Receivedfunction is not implemented in the receiving contract, not allowing an incompatible contract to exercise the option.Incompatible contracts would still be able to buy options but would at least not waste more ETH when trying to exercise the option.