search

code-423n4 / 2022-12-tigris-findings

8 stars 4 forks source link

[NAZ-M11] Incorrect Address Emitted #606

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/GovNFT.sol#L26 https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/GovNFT.sol#L203

Vulnerability details

Impact

The ReceiveNFT() event in _nonblockingLzReceive() is emitted when an NFT is being received via Lz. Its second parameter indicates the from address. _nonblockingLzReceive() takes a _srcAddress parameter which indicates the intended from address of the NFT and is meant to be emitted in the ReceiveNFT() event however, the toAddress is emitted.

Proof of Concept

This may mislead protocol user interfaces and off-chain monitoring systems to misinterpret the amounts of assets being redeemed or minted to cause confusion, flagging of alerts or DoS.

Tools Used

Manual Review

Recommended Mitigation Steps

Change emit ReceiveNFT(_srcChainId, toAddress, tokenId); to emit ReceiveNFT(_srcChainId, fromAddress, tokenId);. Or change the event itself if it is meant to emit the toAddress and not the fromAddress.

TriHaz commented 1 year ago

Definitely not med risk, should be QA.

c4-sponsor commented 1 year ago

TriHaz marked the issue as sponsor confirmed

c4-sponsor commented 1 year ago

TriHaz marked the issue as disagree with severity

GalloDaSballo commented 1 year ago

Agree with Sponsor, downgrading to Refactoring

R

c4-judge commented 1 year ago

Duplicate of https://github.com/code-423n4/2022-12-tigris-findings/issues/572