Closed sherlock-admin2 closed 8 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
valid because { this is a valid finding as the watson was able to explain howa malicious user can transfer the token and denying the governace from removing him; its a dupp of 190 with better writeup and a highrt impact reported thus making it best!!!}
grearlake
high
Malicious council member can't be removed
Summary
Malicious council member can't be removed from council member list by transfer ERC721 token to other address
Vulnerability Detail
Function
removeFromOffice
is called by governance to replace existing council member with a new one and withdraw old telecoin:it call
_transfer()
function in ERC721Upgradeable library to transfer ownership of token:But
transferFrom()
function in theERC721Upgradeable
is not overriden, which make user able to transfer token to other address, which make conditionelse if (previousOwner != from)
is true, lead to contract become revert.transferFrom()
function:Council member can transfer token because they are owner of token that granted in the `mint() function:
Impact
Council member can't be removed. Attacker can execute bad actions like cancel any transaction by challenging them.
Code Snippet
https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L122-#L134
Tool used
Manual Review
Recommendation
transferFrom()
function in theERC721Upgradeable
contract should be overriden to not allowing anyone to call themDuplicate of #243