r0ck3tz - Authorization added to approve function can be bypassed

[sherlock-admin2]

r0ck3tz

medium

Authorization added to approve function can be bypassed

Summary

The approve function has been limited to GOVERNANCE_COUNCIL_ROLE but the owner of the token can bypass this functionality and use setApprovalForAll function to allow spending tokens by a third-party contract.

Vulnerability Detail

The approve function has been limited to GOVERNANCE_COUNCIL_ROLE and allows setting approval for any token to any address. The owner of the token can use setApprovalForAll function and set third-party contract as an operator which will allow to bypass authorization added to approve function.

Impact

The users can use setApprovalForAll and allow any contract to spend the ERC721 tokens bypassing authorization added to approve function.

Code Snippet

• https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L191-L201

Tool used

Manual Review

Recommendation

It is recommended to:

• In case the approvals should be used by the users it is required to override setApprovalForAll function.
• In case the it should be possible by user to manage his own approval it is recommended to implement additional function such as approveToken instead of overriding existing approve function.

Duplicate of #243

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

takarez commented:

valid because { This is valid and a dupp of 190 due to the same underlying cause of not overriden a function}