Judge has assessed an item in Issue #284 as 3 risk. The relevant finding follows:
NFT tokens sent to the EthRouter contract by mistake can be drained by pool contracts. When someone calls sell, deposit or change functions on EthRouter contract, the contract gives the particular pool full approval (with setApprovalForAll) for tokens from that particular nft. This approval is not revoked later. If someone sends a token from the approved nft, the pool owner can use the execute function to withdraw this token from EthRouter to his own pool.NFT tokens sent to the EthRouter contract by mistake can be drained by pool contracts. When someone calls sell, deposit or change functions on EthRouter contract, the contract gives the particular pool full approval (with setApprovalForAll) for tokens from that particular nft. This approval is not revoked later. If someone sends a token from the approved nft, the pool owner can use the execute function to withdraw this token from EthRouter to his own pool.
Judge has assessed an item in Issue #284 as 3 risk. The relevant finding follows:
NFT tokens sent to the EthRouter contract by mistake can be drained by pool contracts. When someone calls sell, deposit or change functions on EthRouter contract, the contract gives the particular pool full approval (with setApprovalForAll) for tokens from that particular nft. This approval is not revoked later. If someone sends a token from the approved nft, the pool owner can use the execute function to withdraw this token from EthRouter to his own pool.NFT tokens sent to the EthRouter contract by mistake can be drained by pool contracts. When someone calls sell, deposit or change functions on EthRouter contract, the contract gives the particular pool full approval (with setApprovalForAll) for tokens from that particular nft. This approval is not revoked later. If someone sends a token from the approved nft, the pool owner can use the execute function to withdraw this token from EthRouter to his own pool.