GalloDaSballo
commented
1 year ago Will flag but this may be a way to pass on debt to others (vulnerability)
Closed code423n4 closed 1 year ago
GalloDaSballo
commented
1 year ago Will flag but this may be a way to pass on debt to others (vulnerability)
TriHaz
commented
1 year ago Invalid, the receiver is not supposed to get the pending rewards with the NFT transfer.
c4-sponsor
commented
1 year ago TriHaz marked the issue as sponsor disputed
GalloDaSballo
commented
1 year ago With very little info avaiable, and the sponsor disputing, am closing for lack of proof.
Always add a coded POC to offer a stronger chance of withstanding scrutiny
c4-judge
commented
1 year ago GalloDaSballo marked the issue as unsatisfactory: Insufficient proof
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/588c84b7bb354d20cbca6034544c4faa46e6a80e/contracts/GovNFT.sol#L86-L102
Vulnerability details
Impact
Because of not updating the mapping
userDebtfor receiver (userDebt[for]) on the transfer of GovNFT token, the receiver may be harmed, because of not getting collected fees.Proof of Concept
Function
_transfer(...)is not updated foruserDebt[for], here.Tools Used
Manual review.
Recommended Mitigation Steps
Consider updating value in
userDebt[for]on transfer.