Closed sherlock-admin2 closed 5 months ago
bareli
medium
we should add owner for calculating structHash.
function permit(address spender, uint256 tokenId, uint256 deadline, uint8 v, bytes32 r, bytes32 s) public virtual { require(block.timestamp <= deadline, "ERC721Permit: expired deadline");
address owner = ownerOf(tokenId);
@> bytes32 structHash = keccak256(abi.encode(_PERMIT_TYPEHASH, spender, tokenId, _useNonce(owner), deadline));
bytes32 hash = _hashTypedDataV4(structHash); address signer = ECDSA.recover(hash, v, r, s); require(signer == owner, "ERC721Permit: invalid signature"); _approve(spender, tokenId); }
structHash is not implemented correctly.There may be some multiple permit for same owner.
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/util/ERC4494.sol#L49C78-L49C85
Manual Review
@> bytes32 structHash = keccak256(abi.encode(_PERMIT_TYPEHASH,owner, spender, tokenId, _useNonce(owner), deadline));
Invalid
Invalid, I don't see the issue here, function implementation is consistent
bareli
medium
wrong implement of "permit"
Summary
we should add owner for calculating structHash.
Vulnerability Detail
function permit(address spender, uint256 tokenId, uint256 deadline, uint8 v, bytes32 r, bytes32 s) public virtual { require(block.timestamp <= deadline, "ERC721Permit: expired deadline");
@> bytes32 structHash = keccak256(abi.encode(_PERMIT_TYPEHASH, spender, tokenId, _useNonce(owner), deadline));
Impact
structHash is not implemented correctly.There may be some multiple permit for same owner.
Code Snippet
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/util/ERC4494.sol#L49C78-L49C85
Tool used
Manual Review
Recommendation
function permit(address spender, uint256 tokenId, uint256 deadline, uint8 v, bytes32 r, bytes32 s) public virtual { require(block.timestamp <= deadline, "ERC721Permit: expired deadline");
@> bytes32 structHash = keccak256(abi.encode(_PERMIT_TYPEHASH,owner, spender, tokenId, _useNonce(owner), deadline));