Closed c4-bot-2 closed 6 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #15
HickupHH3 marked the issue as not a duplicate
HickupHH3 marked the issue as duplicate of #575
HickupHH3 changed the severity to 3 (High Risk)
HickupHH3 marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2024-02-ai-arena/blob/main/src/GameItems.sol#L291 https://github.com/code-423n4/2024-02-ai-arena/blob/main/src/GameItems.sol#L10
Vulnerability details
Impact
Any game item (an ERC-1155) can be transferred even though the intention of its configuration says otherwise (the
GameItemAttributes.transferable
member isfalse
).Description
The
GameItems
contract lacks measures in certain transfer-related functions to enforce the non-transferability status of items, allowing transfers even when explicitly disallowed by the game attribute configuration:safeTransferFrom(address,address,uint256,uint256,bytes)
(overriden byGameItems
): does implement theGameItemAttributes.transferable
check.safeBatchTransferFrom(address,address,uint256[],uint256[],bytes)
(not overriden byGameItems
, inherited fromERC1155
): doesn't implement theGameItemAttributes.transferable
check.Therefore, game items can always be transferred by calling the
GameItems.safeBatchTransferFrom
function.Proof Of Concept
Add the following tests in
GameItems.t.sol
:Tools Used
Forge tests and manually reviewed.
Recommended Mitigation Steps
Override the
GameItems.safeBatchTransferFrom
function making sure each token is transferable.Assessed type
Invalid Validation