GalloDaSballo
commented
2 years ago Finding doesn't show any code / POC but is going for a High Severity
Closed code423n4 closed 2 years ago
GalloDaSballo
commented
2 years ago Finding doesn't show any code / POC but is going for a High Severity
HardlyDifficult
commented
2 years ago A malicious NFT that violates the standard in this way should have no value. The issue described here would also apply to any NFT marketplace or other sale mechanism. Valuing an NFT requires more than just viewing the associated metadata - it is the buyer's responsibility to do some due diligence. This is a concern with NFTs in general and not specific to the Nibbl protocol. Closing as invalid.
Lines of code
https://github.com/NibblNFT/nibbl-smartcontracts/blob/master/contracts/NibblVaultFactory.sol#L38-L56
Vulnerability details
Impact
Anybody can create a vault which fractionalizes their NFT. However, this process should go through a whitelist and review process because a maliciously implemented NFT contracts can reclaim ownership of the contract despite it technically being 'owned' by the vault.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
Say for example, I fractionalize my NFT, create the vault and the platform thinks it retains ownership of the asset through this line of code.
https://github.com/NibblNFT/nibbl-smartcontracts/blob/master/contracts/NibblVaultFactory.sol#L53
That's not necessarily the case, because the ownerOf implementation of the NFT contract, could perhaps, always return an attacker address, perhaps after 2 days. It is not always guaranteed these NFTs are implemented following the exact OpenZepellin standard, despite adhering to the ERC721/1155 interface. These methods are not too be trusted unless using whitelisted & reviewed NFT contracts.
In addition, mint methods in the NFT contract could create an unbounded supply & any conceivable malicious intent in their implementations.
Tools Used
Manual review.
Recommended Mitigation Steps
Review the contracts of NFTs that wish to be fractionalized, especially their ownerOf, safeTransferFrom, transferFrom & mint methods so ensure no malicious intent.