search

code-423n4 / 2024-08-superposition-validation

0 stars 0 forks source link

Missing Required ERC721 Events #178

Closed c4-bot-8 closed 1 month ago

c4-bot-8 commented 1 month ago

Lines of code

https://github.com/code-423n4/2024-08-superposition/blob/4528c9d2dbe1550d2660dac903a8246076044905/pkg/sol/OwnershipNFTs.sol#L109-L116

Vulnerability details

Vulnerability Details

The contract doesn't emit required ERC721 events such as Transfer and Approval. These events are crucial for off-chain applications to track token ownership and approvals.

Impact

The lack of standard events will break compatibility with most DApps, wallets, and indexers that rely on these events to track token ownership and transfers. This severely limits the usability and visibility of the tokens.

Proof of Concept

The _transfer function doesn't emit a Transfer event:

    function _transfer(
        address _from,
        address _to,
        uint256 _tokenId
    ) internal {
        _requireAuthorised(_from, _tokenId);
        SEAWATER.transferPositionEEC7A3CD(_tokenId, _from, _to);
      // Missing Transfer event
    }

Tools Used

Manual Review

Recommended Mitigation Steps

Emit the required events in all relevant functions:

function _transfer(
    address _from,
    address _to,
    uint256 _tokenId
) internal {
    _requireAuthorised(_from, _to, _tokenId);
    SEAWATER.transferPositionEEC7A3CD(_tokenId, _from, _to);
    emit Transfer(_from, _to, _tokenId);
}

Assessed type

ERC721