Closed lawweiliang closed 2 years ago
Correct me if I am wrong. @lawweiliang this is still vulnerable cuz owner can be transfer to someone else? https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/access/Ownable.sol
Hi @elie222 @lawweiliang Maybe is not enough, "refundAddress" can changed by setRefundAddress function, we should be prohibited all refundAddress call refund function.
Hi @elie222 @lawweiliang Maybe is not enough, "refundAddress" can changed by setRefundAddress function, we should be prohibited all refundAddress call refund function.
But owner can still transfer to another address that isn't blacklisted. I left the same comment on your PR. We just merged in another fix for this issue: https://github.com/exo-digital-labs/ERC721R/pull/9. Happy to hear everyone's thoughts on it.
issue: https://github.com/exo-digital-labs/ERC721R/pull/9 is better.
@qbig, you are right, owner still can transfer the token to other and refund it using the new address and continue to drain the fund. Hmm...
Refund problem was solved over #9 by adding has refunded. The token transfer problem by the owner was solved as well. I closed this pull request.
Hi @elie222
Here is the improvements.
Stop the owner of the contract from calling the refund function
notOwner
and being call over refund function.To simplify contributions, I did include a prettier config file.
Hopes it helps.
Regards, Liang