Closed c4-submissions closed 12 months ago
/// @dev The ERC721 smart contract calls this function on the recipient
/// after a `transfer`. This function MAY throw to revert and reject the
/// transfer. Return of other than the magic value MUST result in the
/// transaction being reverted.
GalloDaSballo marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-09-delegate/blob/main/src/DelegateToken.sol#L83-L86
Vulnerability details
Impact
DelegateToken's
onERC721Received
not workProof of Concept
The
onERC721Received
function restricts the operator to only beaddress(this)
.https://github.com/code-423n4/2023-09-delegate/blob/main/src/DelegateToken.sol#L83-L86
According to the EIP-721 specification, the
operator
is the caller ofsafeTransferFrom
.https://eips.ethereum.org/EIPS/eip-721#specification
In the DelegateToken contract, there are only calls to
safeTransferFrom
for ERC1155, while for ERC721, it only callstransferFrom
.For example:
https://github.com/code-423n4/2023-09-delegate/blob/main/src/DelegateToken.sol#L369
https://github.com/code-423n4/2023-09-delegate/blob/main/src/DelegateToken.sol#L384
https://github.com/code-423n4/2023-09-delegate/blob/main/src/libraries/DelegateTokenTransferHelpers.sol#L40-L42
https://github.com/code-423n4/2023-09-delegate/blob/main/src/libraries/DelegateTokenTransferHelpers.sol#L70-L75
That is to say, even if users want to use DelegateToken as the
underlyingContract
,safeTransferFrom
for ERC721 will not be called, thereby never triggering DelegateToken'sonERC721Received
. In other words,onERC721Received
will never be activated.Tools Used
Vscode
Recommended Mitigation Steps
In the contract, all transfers involving ERC721 do not use
safeTransferFrom
. I am not clear on the purpose of restrictingaddress(this) == operator
, so I don't know how to fix it.Assessed type
ERC721