Open hats-bug-reporter[bot] opened 1 week ago
The said scenario is not applicable here.
When the user request withdrawal, a withdrawalId
i.e an NFT would be minted to user's recipient address via requestWithdrawal()
function. To claim the native ROSE token, the owner of withdrawalId
can call claimWithdrawal()
function which will burn the NFT in order to transfer the native ROSE tokens.
Github username: -- Twitter username: -- Submission hash (on-chain): 0x005adf9a22ec6709a79a541f3af7d1a7e4664bba69ef37758614915f22d1f5d7 Severity: low
Description:
Description
The current implementation of the ERC721 token contract does not include any mechanism to distinguish between different blockchain networks in the event of a hard fork. This omission could lead to ownership ambiguity and potential disputes if the blockchain undergoes a hard fork, as the same NFT would exist on both chains with identical token IDs and metadata.
In the event of a blockchain hard fork, an attacker could exploit the situation as follows:
Proof of Concept
This function, as currently implemented, does not include any chain-specific information in the token URI. This means that the same NFT would have identical metadata on both chains after a hard fork.
Revised Code Suggestion
tokenURI
function to include the chain ID in the token's URI. This ensures that even if the NFT exists on multiple chains after a fork, each instance will have a unique identifier.verifyChain
function that can be called to ensure the contract is being interacted with on the intended chain. This function can be used as a modifier for critical operations if needed.These changes address the vulnerability by: