Closed sherlock-admin closed 5 months ago
The desired affect is that approvals are maintained. This is because the addresses with allowances have a level of ownership that they get to maintain for their council seat
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid because { i consider this invalid because the approve() fucntion has an only governance modifier and according to sherlock rules they are trusted entities; so the governance can make sure to revoke any approval that was made; and i can't see where its explicitly used in the function in question : removeFromOffice()}
Bauer
high
The removeFromOffice() function is implemented incorrectly
Summary
In the
removeFromOffice()
function,it does not clear the approval, allowing the approved user to retain permission for operations.Vulnerability Detail
In the
removeFromOffice()
function, the protocol transfers the NFT from the from address to the to address.However, if this NFT was previously approved to another user, this function does not clear the approval, allowing the approved user to retain permission for operations.
Impact
After the NFT has changed ownership, the person who was previously approved still retains permission to operate on it.
Code Snippet
https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L122-L134
Tool used
Manual Review
Recommendation
Clear previous approvals after transferring NFT ownership.
Duplicate of #35