Lines of code

https://github.com/superposition-finance/superposition-core/blob/main/pkg/sol/OwnershipNFTs.sol#L92-L95

Vulnerability details

Vulnerability detail

The _onTransferReceived function in the OwnershipNFTs contract incorrectly implements the check for the onERC721Received selector. The function reverts when it receives the correct selector and allows the transfer for any other value, which is the opposite of the intended behavior.

Impact

This vulnerability can lead to several severe consequences:

Loss of tokens: NFTs could be transferred to contracts that are not capable of handling ERC721 tokens, potentially resulting in permanent loss of these assets.
Broken functionality: The safeTransferFrom function, which is designed to prevent accidental transfers to unprepared contracts, is rendered ineffective.

Proof of Concept

require(
    data != IERC721TokenReceiver.onERC721Received.selector,
    "bad nft transfer received data"
);

This code checks if the returned data is NOT equal to the expected selector, which is the opposite of the correct implementation.

Tools Used

Manual code review

Recommended Mitigation Steps

The check should be corrected to verify that the returned data matches the expected selector:

require(
    data == IERC721TokenReceiver.onERC721Received.selector,
    "bad nft transfer received data"
);

Assessed type

Invalid Validation

code-423n4 / 2024-08-superposition-validation

Incorrect Implementation of ERC721 Safe Transfer Check #193