H-02 MitigationConfirmed

[c4-bot-5]

Lines of code

Vulnerability details

C4 Issue

H-02: An attacker is able to hijack any ERC721 / ERC1155 he borrows because guard is missing validation on the address supplied to function call setFallbackHandler()

Comments

Safe owners were able to set a fallback handler for their wallets. With that they were able to call any function on any contract as it bypassed the Guard checks. They could for example transfer NFTs out of the wallet.

Mitigation

PR-4: setFallbackHandler() was disabled

• The Guard contract now checks that the fallback handler is not set. It is done in the same fashion as with the "set guard", and other selectors.
• The 0xf08a0323 function signature corresponds to the expected: cast sig "setFallbackHandler(address)".
• The only other place where the fallback handler can be set is on setup, but this is can't be controlled by the user as it is set with an immutable on the Factory contract. Setup can't be called twice.
• Tests were added to prevent setting a fallback handler

Conclusions

Successful Mitigation

[c4-judge]

gzeon-c4 marked the issue as satisfactory