Closed sherlock-admin closed 5 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid because { this is invalid because accroding to what i undertand; the governor is the approved user only and thats what allowed him to transfer the token even if he isnt the owner; in case of the transfer; the only isAuthorized; its used for the governace incase he tries to transfer(removeFromOffice) again; but for user to pass there is need of hiim to be the owner; so invalid.}
bitsurfer
medium
Lack of revoke or clear token approval when removed from office
Summary
Lack of revoke token approval when removed from office
Vulnerability Detail
In
CouncilMember
there isremoveFromOffice
function to replace an existing council member with a new one.The function basically withdraw all rewards to
rewardRecipient
and then transfer the tokenId to the new council member (or existing council member).In the function, there is missing one element of removal, that is clearing the approval of that tokenId (
_tokenApproval
). There is a possible condition where the tokenId previously was approve to some other address viaapprove
function. This_tokenApproval
is not cleared in thisremoveFromOffice
operation.If we check again, the
_isAuthorized
is being used in_isAuthorized
override function in ERC721, and can be check whether approved address is allowed to manageowner
's tokens, ortokenId
in particular (ignoring whether it is owned byowner
). Thus, this should be cleared too when removing the tokenId from original owner.The approved address (or person) can front-run or act when there is
removeFromOffice
, and to perform any action which they should not have the capability anymore after removed from office.Impact
Approved user of tokenId can still execute operation as authorized user of tokenId since the
_tokenApproval
is not clearedCode Snippet
https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L122-L134
Tool used
Manual Review
Recommendation
Consider to clear up the token approval for that corresponding tokenId off
removeFromOffice
operationDuplicate of #35