Closed sherlock-admin closed 7 months ago
Invalid, this only affects off chain integrations, and is not a security risk. Additionally, see this discussion for more details
The protocol team fixed this issue in PR/commit https://github.com/telcoin/telcoin-audit/pull/39.
The Lead Senior Watson signed-off on the fix.
Tricko
medium
CouncilMember
does not implementssupportsInterface()
correctly.Summary
The
CouncilMember
contract inherits fromERC721EnumerableUpgradeable
but doesn't override thesupportsInterface
method correctly.Vulnerability Detail
As we can see from the
CouncilMember.supportsInterface()
code below, it returnstrue
when queried about supporting the extension interface (ERC721EnumerableUpgradeable
), but fails to returntrue
when queried about the base interface (IERC721
) or theIERC165
interface, both of which it actually supports.The POC code provided below demonstrates that the
CouncilMember
contract does not accurately returntrue
when queried about its support for ERC721. To run the POC code, execute it from thetest/sablier
folder.Impact
Due to the wrong
supportsInterface()
implementation, ifCouncilMember
contract is queried (either on-chain or off-chain) it will return incorrectly that it doesn't support such ERCs like ERC721 or ERC165. This will affectCouncilMember
integration with third-party contracts or off-chain services.Code Snippet
https://github.com/sherlock-audit/2024-01-telcoin/blob/0954297f4fefac82d45a79c73f3a4b8eb25f10e9/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L146-L161
Tool used
Manual Review
Recommendation
Consider calling the parent contract
supportsInterface()
method, as shown below.