This could allow the old owner to still act as the delegate, since the registry hash has not been updated. Or conversely, the new owner's balance is increased but the old hash means they cannot act as the delegate
Proof of Concept
The Transfer event is emitted and balances updated before writing the new registry hash. If RegistryHelpers.transferERC721 fails, the contract state will be inconsistent - the Transfer event and balances change will have occurred, but the registry hash will still point to the old delegation.
This could allow the old owner to still act as the delegate, since the registry hash has not been updated. Or conversely, the new owner's balance is increased but the old hash means they cannot act as the delegate
Tools Used
Manual
Recommended Mitigation Steps
The registry hash should be updated first before making any state changes
Lines of code
https://github.com/code-423n4/2023-09-delegate/blob/a6dbac8068760ee4fc5bababb57e3fe79e5eeb2e/src/DelegateToken.sol#L172 https://github.com/code-423n4/2023-09-delegate/blob/a6dbac8068760ee4fc5bababb57e3fe79e5eeb2e/src/DelegateToken.sol#L175 https://github.com/code-423n4/2023-09-delegate/blob/a6dbac8068760ee4fc5bababb57e3fe79e5eeb2e/src/DelegateToken.sol#L176 https://github.com/code-423n4/2023-09-delegate/blob/a6dbac8068760ee4fc5bababb57e3fe79e5eeb2e/src/DelegateToken.sol#L179-L180
Vulnerability details
Impact
This could allow the old owner to still act as the delegate, since the registry hash has not been updated. Or conversely, the new owner's balance is increased but the old hash means they cannot act as the delegate
Proof of Concept
The Transfer event is emitted and balances updated before writing the new registry hash. If RegistryHelpers.transferERC721 fails, the contract state will be inconsistent - the Transfer event and balances change will have occurred, but the registry hash will still point to the old delegation. This could allow the old owner to still act as the delegate, since the registry hash has not been updated. Or conversely, the new owner's balance is increased but the old hash means they cannot act as the delegate
Tools Used
Manual
Recommended Mitigation Steps
The registry hash should be updated first before making any state changes
Assessed type
Other