code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-06-lukso/blob/main/contracts/LSP7DigitalAsset/LSP7Constants.sol#L4-L5 https://github.com/code-423n4/2023-06-lukso/blob/main/contracts/LSP8IdentifiableDigitalAsset/LSP8Constants.sol#L4-L5

Vulnerability details

Bug Description

According to LSP7's specification, the ERC-165 interface ID for LSP7 token contracts should be 0x5fcaac27:

ERC165 interface id: 0x5fcaac27

However, _INTERFACEID_LSP7 has a different value in the code:

LSP7Constants.sol#L4-L5

// --- ERC165 interface ids
bytes4 constant _INTERFACEID_LSP7 = 0xda1f85e4;

Similarly, LSP8's interface ID should be 0x49399145 according to LSP8's specification:

ERC165 interface id: 0x49399145

However, _INTERFACEID_LSP8 has a different value in the code:

LSP8Constants.sol#L4-L5

// --- ERC165 interface ids
bytes4 constant _INTERFACEID_LSP8 = 0x622e7a01;

These constants are used in supportsInterface() for the LSP7DigitalAsset and LSP8IdentifiableDigitalAsset contracts.

Impact

Protocols that check for LSP7/LSP8 compatibility using the ERC-165 interface IDs declared in the specification will receive incorrect return values when calling supportsInterface().

Recommended Mitigation

Ensure that the interface ID declared in the code matches their respective ones in their specifications.

Assessed type

Error

c4-pre-sort commented 1 year ago

minhquanym marked the issue as duplicate of #101

c4-judge commented 1 year ago

trust1995 marked the issue as satisfactory

c4-judge commented 1 year ago

trust1995 marked the issue as selected for report

MiloTruck commented 1 year ago

Hi @trust1995, #101 and #102 seems to be incorrectly marked as a duplicate of this issue although you've deemed that they're invalid, could you take another look?

trust1995 commented 1 year ago

They are both correctly marked as dups. #101 is invalid as the submission is written wrong, they will not receive awards as it is marked as unsatisfactory.

code-423n4 / 2023-06-lukso-findings