search

code-423n4 / 2023-09-delegate-findings

2 stars 1 forks source link

If the new owner tries to approve an operator right after receiving the NFT, it will fail since the approved address was reset to 0 #272

Closed c4-submissions closed 12 months ago

c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-09-delegate/blob/a6dbac8068760ee4fc5bababb57e3fe79e5eeb2e/src/DelegateToken.sol#L171

Vulnerability details

Impact

If the new owner tries to approve an operator right after receiving the NFT, it will fail since the approved address was reset to 0

Proof of Concept

This resets the approved address to 0 after a transfer. The impact is that if the new owner tries to approve an operator right after receiving the NFT, it will fail since the approved address was reset to 0. For example:

  1. Alice approves Bob as an operator for NFT #1
  2. Bob transfers NFT #1 to Carol
  3. The approved address is reset to 0 in transferFrom
  4. Carol tries to approve Dan as an operator for NFT #1, but it will fail since the approved address is 0

Tools Used

Manual

Recommended Mitigation Steps

The approved address should NOT be reset to 0 after a transfer. Instead, it should be left unchanged.

Assessed type

Other

c4-judge commented 12 months ago

GalloDaSballo marked the issue as unsatisfactory: Insufficient proof