search

code-423n4 / 2023-06-lukso-findings

3 stars 1 forks source link

tokens owned by the account and tokens in ERC725Y might be different #39

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-06-lukso/blob/9dbc96410b3052fc0fd9d423249d1fa42958cae8/contracts/LSP7DigitalAsset/LSP7DigitalAssetCore.sol#L426-L427

Vulnerability details

Summary

if the owner is LSP6 we use Universal Receiver Delegate to add asset owned by account to ERC725Y, but if the user is EOA there is not such a thing,

Impact

asset might be different in ERC725Y from original one that owned by account

Proof of Concept

see next steps:

  1. account owned by EOA receive some assets
  2. transfer ownership to LSP6
  3. there will be difference between ERC725Y and original asset.

Tools Used

manual

Recommended Mitigation Steps

If account is owned by EOA there will be mechanism that listen to event and add asset to ERC725Y or delete from that or after transferring to LSP6 check last emits and add changes to ERC725Y.

Assessed type

Other

c4-pre-sort commented 1 year ago

minhquanym marked the issue as primary issue

c4-sponsor commented 1 year ago

CJ42 marked the issue as sponsor disputed

CJ42 commented 1 year ago

If the UP start being owned by an EOA, it cannot register asset. LSP1 Delegate in its current implementation does not work if the owner is not a LSP6 Key Manager. This is intended.

c4-judge commented 1 year ago

trust1995 marked the issue as unsatisfactory: Invalid