XO-tokenIds parameter in atomicSwapCallback() function is not properly validated
Summary
The atomicSwapCallback() function does not check to make sure that the tokenIds parameter is a valid array of NFT token IDs, this can allow an attacker to transfer the NFTs even though the attacker does not own the NFTs.
Vulnerability Detail
There is a vulnerability in the interface IERC721Taker, it is in the atomicSwapCallback( function,
function atomicSwapCallback(
uint256[] memory tokenIds,
uint256 quoteAmountDue,
bytes calldata data
) external;
}
so the problem is that the function does not check to make sure that the tokenIds parameter is a valid array of NFT token IDs. means that an attacker could call the atomicSwapCallback() function with a value for the tokenIds parameter that is not a valid array of NFT token IDs. This would cause the function to transfer the NFTs to the attacker, even though the attacker does not own the NFTs.
Impact
This vulnerability allow an attacker to transfer the NFTs even though the attacker does not own the NFTs.
An attacker can exploit this vulnerability:
An attacker create a malicious contract that calls the atomicSwapCallback() function.
an attacker set the tokenIds parameter to an array of NFT token IDs that the attacker does not own.
an attacker call the atomicSwapCallback() function with the malicious contract.
The contract transfer the NFTs to the attacker, even though the attacker does not own the NFTs.
XDZIBEC
high
XO-
tokenIds
parameter inatomicSwapCallback()
function is not properlyvalidated
Summary
atomicSwapCallback()
function does not check to make sure that thetokenIds
parameter is a valid array ofNFT
tokenIDs,
this can allow an attacker to transfer theNFTs
even though the attacker does not own theNFTs
.Vulnerability Detail
IERC721Taker
, it is in theatomicSwapCallback(
function,tokenIds
parameter is a valid array ofNFT
token IDs. means that an attacker could call theatomicSwapCallback()
function with a value for thetokenIds
parameter that is not a valid array ofNFT
tokenIDs.
This would cause the function to transfer theNFTs
to the attacker, even though the attacker does not own theNFTs.
Impact
NFTs
even though the attacker does not own theNFTs.
atomicSwapCallback()
function.tokenIds
parameter to an array ofNFT
tokenIDs
that the attacker does not own.atomicSwapCallback()
function with the malicious contract.NFTs
to the attacker, even though the attacker does not own theNFTs.
Code Snippet
Tool used
Manual Review
Recommendation
atomicSwapCallback()
function to ensure that thetokenIds
parameter is a valid array ofNFT
tokenIDs.