Judge has assessed an item in Issue #131 as Medium risk. The relevant finding follows:
Recommend using safeTransferFrom() instead of transferFrom() for NFTs
The EIP-721 standard states:
/// @notice Transfer ownership of an NFT -- THE CALLER IS RESPONSIBLE
/// TO CONFIRM THAT `_to` IS CAPABLE OF RECEIVING NFTS OR ELSE
/// THEY MAY BE PERMANENTLY LOST
Cally.sol uses transferFrom() to facillitate the transfer of ERC721 NFTs from the contract to users, as shown below.
In exercise():
Cally.sol:295 ? ERC721(vault.token).transferFrom(address(this), msg.sender, vault.tokenIdOrAmount)
In withdraw():
Cally.sol:344 ? ERC721(vault.token).transferFrom(address(this), msg.sender, vault.tokenIdOrAmount)
To prevent a permanent loss of NFTs, there should be checks in place to ensure msg.sender is capable of receiving NFTs. Otherwise, consider using safeTransferFrom() instead of transferFrom().
Judge has assessed an item in Issue #131 as Medium risk. The relevant finding follows:
Recommend using safeTransferFrom() instead of transferFrom() for NFTs The EIP-721 standard states:
Cally.sol uses transferFrom() to facillitate the transfer of ERC721 NFTs from the contract to users, as shown below.
In exercise():
Cally.sol:295 ? ERC721(vault.token).transferFrom(address(this), msg.sender, vault.tokenIdOrAmount) In withdraw():
Cally.sol:344 ? ERC721(vault.token).transferFrom(address(this), msg.sender, vault.tokenIdOrAmount) To prevent a permanent loss of NFTs, there should be checks in place to ensure msg.sender is capable of receiving NFTs. Otherwise, consider using safeTransferFrom() instead of transferFrom().