XDZIBEC - XO-`tokenIds` parameter in `atomicSwapCallback()` function is not properly `validated`

[sherlock-admin]

XDZIBEC

high

XO-tokenIds parameter in atomicSwapCallback() function is not properly validated

Summary

• The atomicSwapCallback() function does not check to make sure that the tokenIds parameter is a valid array of NFT token IDs, this can allow an attacker to transfer the NFTs even though the attacker does not own the NFTs.

  Vulnerability Detail

• There is a vulnerability in the interface IERC721Taker, it is in the atomicSwapCallback( function,

  function atomicSwapCallback(
      uint256[] memory tokenIds, 
      uint256          quoteAmountDue,
      bytes calldata   data
  ) external;
  }

• so the problem is that the function does not check to make sure that the tokenIds parameter is a valid array of NFT token IDs. means that an attacker could call the atomicSwapCallback() function with a value for the tokenIds parameter that is not a valid array of NFT token IDs. This would cause the function to transfer the NFTs to the attacker, even though the attacker does not own the NFTs.

  Impact

• This vulnerability allow an attacker to transfer the NFTs even though the attacker does not own the NFTs.
• An attacker can exploit this vulnerability:
  • An attacker create a malicious contract that calls the atomicSwapCallback() function.
  • an attacker set the tokenIds parameter to an array of NFT token IDs that the attacker does not own.
  • an attacker call the atomicSwapCallback() function with the malicious contract.
  • The contract transfer the NFTs to the attacker, even though the attacker does not own the NFTs.

Code Snippet

• https://github.com/sherlock-audit/2023-04-ajna/blob/main/ajna-core/src/interfaces/pool/erc721/IERC721Taker.sol#L13

  Tool used

Manual Review

Recommendation

• adding a check to the atomicSwapCallback() function to ensure that the tokenIds parameter is a valid array of NFT token IDs.