search

sherlock-audit / 2024-04-titles-judging

1 stars 1 forks source link

CodeWasp - `Edition.transferWork` allows zero address, leaves work inaccessible for further updates #388

Closed sherlock-admin3 closed 2 months ago

sherlock-admin3 commented 2 months ago

CodeWasp

medium

Edition.transferWork allows zero address, leaves work inaccessible for further updates

Summary

Edition.transferWork allows setting the work's creator to the zero address, leaving it without a creator.

Vulnerability Detail

Edition.transferWork allows setting the work's creator to the zero address.

Impact

Leaves the work inaccessible for fee updates (setFeeStrategy), setting metadata (setMetadata) or timeframe (setTimeframe).

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L412-L417

Tool used

Manual Review

Recommendation

Check argument to_ and revert on zero address.

thpani commented 1 month ago

Escalate

This is similar to #283, which is sponsor-confirmed and selected for reward. In contrast to #283, which points out the effects of transferring a work to another creator, this issue describes the effects of transferring a work to the zero address.

This is at least a dup of #283 – but effectively describes a different effect and can also stand on its own.

Apologies for the brief original submission – I was running out of time 😓

sherlock-admin3 commented 1 month ago

Escalate

This is similar to #283, which is sponsor-confirmed and selected for reward. In contrast to #283, which points out the effects of transferring a work to another creator, this issue describes the effects of transferring a work to the zero address.

This is at least a dup of #283 – but effectively describes a different effect and can also stand on its own.

Apologies for the brief original submission – I was running out of time 😓

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

WangSecurity commented 1 month ago

I believe this report is a user mistake to transfer ownership to 0 address, hence, invalid. Planning to reject the escalation and leave the issue as it is.

Evert0x commented 1 month ago

Result: Invalid Unique

sherlock-admin4 commented 1 month ago

Escalations have been resolved successfully!

Escalation status: