Closed code423n4 closed 1 year ago
If there are some invalid contract address(ERC20 or ERC721), the transaction revert when try call safeTransferFrom
to the invalid contract addresses
Invalid contract addresses are allowed, and the transaction will most likely fail, even in the case of a malicious token, the counter-party (the other side of the order) could still verify that there's a malicious token
For completeness, the code check is applied in ERC20 transfers because solmate's low level transfer call does not apply this check themselves:
require(token.code.length > 0, "ERC20: Token is not contract");
It's not necessary for a regular external contract interaction (via ERC721.safeTransferFrom) because this will revert if the contract does not exist.
Agreed that validation of ERC721 isn't required here
Lines of code
https://github.com/code-423n4/2022-06-putty/blob/3b6b844bc39e897bd0bbb69897f2deff12dc3893/contracts/src/PuttyV2.sol#L610-L614
Vulnerability details
Impact
Invalid contract addresses are allowed
Proof of Concept
function _transferERC721sIn(ERC721Asset[] memory assets, address from) internal { for (uint256 i = 0; i < assets.length; i++) { ERC721(assets[i].token).safeTransferFrom(from, address(this), assets[i].tokenId); } }
Tools Used
VS code
Recommended Mitigation Steps
for ERC20 there is validation check like the below one, function _transferERC20sIn(ERC20Asset[] memory assets, address from) internal { for (uint256 i = 0; i < assets.length; i++) { address token = assets[i].token; uint256 tokenAmount = assets[i].tokenAmount;
similarly, contract address validation can be added for ERC721