Buyers can accidentally lose their NFT if they send to incorrect address.
Proof of Concept
When the buyer decide to call exercise the NFT is transfered using transferFrom. This is risky because if the destination (msg.sender) is a contract and it is unable to handle NFT then it will be locked forever. This function in my opinion is Ok when you transfer to your contract.
Lines of code
https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L295 https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/Cally.sol#L431-L453
Vulnerability details
Impact
Buyers can accidentally lose their NFT if they send to incorrect address.
Proof of Concept
When the buyer decide to call
exercise
the NFT is transfered usingtransferFrom
. This is risky because if the destination (msg.sender
) is a contract and it is unable to handle NFT then it will be locked forever. This function in my opinion is Ok when you transfer to your contract.Similar issues
https://github.com/code-423n4/2022-04-backed-findings/issues/83
Recommended Mitigation Steps
Implement
safeTransferFrom