ith-harvey
commented
1 year ago no requirement of approvals for unstaking
Closed sherlock-admin closed 1 year ago
ith-harvey
commented
1 year ago no requirement of approvals for unstaking
grandizzy
commented
1 year ago proof that report is invalid https://github.com/ajna-finance/contracts/pull/912 (assert owner before unstake is RewardsManager contract and owner after unstake is staker)
0xffff11
commented
1 year ago Agree with sponsor. Invalid
stopthecap
high
Users are unable to
unstakeandemergencyUnstakeSummary
Users are unable to unstake NFTs and emergencyUnstake NFTs
Vulnerability Detail
when users try to unstake their NFT, the
unstakeandemergencyUnstakefunction will fail due to a missing approval to transfer the NFT from the contract to the caller. If you check the Open Zeppekin implementation:https://github.com/OpenZeppelin/openzeppelin-contracts/blob/1a77a508f93e2df058cb082def4753a060aefa8f/contracts/token/ERC721/ERC721.sol#L154
you can see that when calling transferFrom, it is required an approval before hand to actually transfer the NFT.
Impact
Users are unable to unstake their NFTs (stuck NFTs)
Code Snippet
https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/RewardsManager.sol#L813
https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/RewardsManager.sol#L216-L219
https://github.com/OpenZeppelin/openzeppelin-contracts/blob/1a77a508f93e2df058cb082def4753a060aefa8f/contracts/token/ERC721/ERC721.sol#L154
Tool used
Manual Review
Recommendation
Approve the transfer from the NFT before actually sending it