This is enforced by the _requireAuthorised which ensures that caller is either owner, owner's operator or approved to spend the token.
function _requireAuthorised(address _from, uint256 _tokenId) internal view {
// revert if the sender is not authorised or the owner
bool isAllowed =
msg.sender == _from ||
isApprovedForAll[_from][msg.sender] ||
msg.sender == getApproved[_tokenId];
require(isAllowed, "not allowed");
require(ownerOf(_tokenId) == _from, "_from is not the owner!");
}
This is an issue because any user that had be approved to spend the token risks losing their approval after calling the approve function.
Recommended Mitigation Steps
Recommend limiting the approval to the owner and operator instead.
Judge has assessed an item in Issue #169 as 2 risk. The relevant finding follows:
2. OwnershipNFTs's approve function allows approved users to also perform approvals.
https://github.com/code-423n4/2024-08-superposition/blob/4528c9d2dbe1550d2660dac903a8246076044905/pkg/sol/OwnershipNFTs.sol#L160-L163
Impact
OwnershipNFTs's approve function allows approved users to also perform approvals, which can lead to approval loss.
The approve function checks if
msg.sender
is authorized.This is enforced by the
_requireAuthorised
which ensures that caller is either owner, owner's operator or approved to spend the token.This is an issue because any user that had be approved to spend the token risks losing their approval after calling the
approve
function.Recommended Mitigation Steps
Recommend limiting the approval to the owner and operator instead.