Only the owner is allowed to feed the gobbler, but if the NFT is previous approved for transfer, or has an operator set for approvedForAll, the gobble() function will revert. However, if do the transferFrom() first, and call gobble() from the new owner, the call can succeed. Hence the current implementation is not consistent. As a result, the new owner has to bother extra function calls to feed the gobbler.
This is informational. It is up to the discretion of devs to take gobbling gobbler's approvals into consideration or not. But the recommendation is wrong as it confuses gobblerId with gobbled NFT ID.
Lines of code
https://github.com/code-423n4/2022-09-artgobblers/blob/d2087c5a8a6a4f1b9784520e7fe75afa3a9cbdbe/src/ArtGobblers.sol#L733
Vulnerability details
Impact
Only the
owner
is allowed to feed the gobbler, but if the NFT is previous approved for transfer, or has an operator set for approvedForAll, thegobble()
function will revert. However, if do thetransferFrom()
first, and callgobble()
from the newowner
, the call can succeed. Hence the current implementation is not consistent. As a result, the new owner has to bother extra function calls to feed the gobbler.Proof of Concept
Tools Used
Manual analysis.
Recommended Mitigation Steps