The contract doesn't perform zero address checks in critical functions like transferFrom and approve. This could lead to tokens being accidentally sent to the zero address.
Impact
Tokens sent to the zero address are effectively burned, resulting in a permanent loss of assets.
Proof of Concept
function transferFrom(
address _from,
address _to,
uint256 _tokenId
) external payable {
// No check for _to != address(0)
_transfer(_from, _to, _tokenId);
}
Tools Used
Manual review
Recommended Mitigation Steps
Add zero address checks to all functions that involve address parameters:
function transferFrom(
address _from,
address _to,
uint256 _tokenId
) external payable {
require(_to != address(0), "ERC721: transfer to the zero address");
_transfer(_from, _to, _tokenId);
}
Lines of code
https://github.com/code-423n4/2024-08-superposition/blob/4528c9d2dbe1550d2660dac903a8246076044905/pkg/sol/OwnershipNFTs.sol#L129-L136
Vulnerability details
Vulnerability Details:
The contract doesn't perform zero address checks in critical functions like
transferFrom
and approve. This could lead to tokens being accidentally sent to the zero address.Impact
Tokens sent to the zero address are effectively burned, resulting in a permanent loss of assets.
Proof of Concept
Tools Used
Manual review
Recommended Mitigation Steps
Add zero address checks to all functions that involve address parameters:
Assessed type
Invalid Validation