Council members have the ability to transfer their NFTs to others.
Summary
The creation of new council members should be community-driven, but the current implementation does not correctly reflect this.
Vulnerability Detail
There is a disparity in permission control for NFT transfers.
While the removeFromOffice function requires the governance role to be called, the transferFrom andsafeTransferFrom functions work without any permission checks.
This allows council members to easily send their NFTs using these functions.
function removeFromOffice(address from, address to, uint256 tokenId, address rewardRecipient)
external onlyRole(GOVERNANCE_COUNCIL_ROLE) {
_retrieve();
_withdrawAll(rewardRecipient, tokenId);
_transfer(from, to, tokenId);
}
ggg_ttt_hhh
medium
Council members have the ability to transfer their NFTs to others.
Summary
The creation of new council members should be community-driven, but the current implementation does not correctly reflect this.
Vulnerability Detail
There is a disparity in permission control for
NFT
transfers. While theremoveFromOffice
function requires the governancerole
to be called, thetransferFrom
andsafeTransferFrom
functions work without any permission checks. This allows council members to easily send theirNFT
s using these functions.Impact
Code Snippet
https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L122-L134
Tool used
Manual Review
Recommendation
Overwrite these functions.
Duplicate of #243