The _onTransferReceived function in the OwnershipNFTs contract incorrectly implements the check for the onERC721Received selector. The function reverts when it receives the correct selector and allows the transfer for any other value, which is the opposite of the intended behavior.
Impact
This vulnerability can lead to several severe consequences:
Loss of tokens: NFTs could be transferred to contracts that are not capable of handling ERC721 tokens, potentially resulting in permanent loss of these assets.
Broken functionality: The safeTransferFrom function, which is designed to prevent accidental transfers to unprepared contracts, is rendered ineffective.
Proof of Concept
require(
data != IERC721TokenReceiver.onERC721Received.selector,
"bad nft transfer received data"
);
This code checks if the returned data is NOT equal to the expected selector, which is the opposite of the correct implementation.
Tools Used
Manual code review
Recommended Mitigation Steps
The check should be corrected to verify that the returned data matches the expected selector:
require(
data == IERC721TokenReceiver.onERC721Received.selector,
"bad nft transfer received data"
);
Lines of code
https://github.com/superposition-finance/superposition-core/blob/main/pkg/sol/OwnershipNFTs.sol#L92-L95
Vulnerability details
Vulnerability detail
The
_onTransferReceived
function in theOwnershipNFTs
contract incorrectly implements the check for theonERC721Received
selector. The function reverts when it receives the correct selector and allows the transfer for any other value, which is the opposite of the intended behavior.Impact
This vulnerability can lead to several severe consequences:
safeTransferFrom
function, which is designed to prevent accidental transfers to unprepared contracts, is rendered ineffective.Proof of Concept
This code checks if the returned data is NOT equal to the expected selector, which is the opposite of the correct implementation.
Tools Used
Manual code review
Recommended Mitigation Steps
The check should be corrected to verify that the returned data matches the expected selector:
Assessed type
Invalid Validation