Given that any NFT can be used, there are a few NFTs (here’s an example) that have logic in the onERC721Received() function, which is only triggered in the safeTransferFrom() function and not in transferFrom().
Tools Used
Manual Review
Recommended Mitigation Steps
Consider the use of safeTransferFrom() method instead of transferFrom() for NFT transfers.
Lines of code
https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/crowdfund/Crowdfund.sol#L301
Vulnerability details
Impact
The
transferFrom()
method is used instead ofsafeTransferFrom()
, presumably to save gas. I however argue that this isn’t recommended because:safeTransferFrom()
whenever possible.onERC721Received()
function, which is only triggered in thesafeTransferFrom()
function and not intransferFrom()
.Tools Used
Manual Review
Recommended Mitigation Steps
Consider the use of
safeTransferFrom()
method instead oftransferFrom()
for NFT transfers.