ownership_change state is not migrated to split NFTs in VotingEscrow
Summary
The ownership_change state is set when a NFT is transferred. However, this state is not migrated when splitting it.
Vulnerability Detail
When an NFT is transferred, the _transferFrom function sets the block of ownership transfer as following: `ownership_change[_tokenId] = block.number; (link to code)
This value is only checked by the function balanceOfNFT:
function balanceOfNFT(uint _tokenId) external view returns (uint) {
if (ownership_change[_tokenId] == block.number) return 0;
return _balanceOfNFT(_tokenId, block.timestamp);
}
An user can bypass this check by calling the split function, where a new NFT with a value of up to _locked.amount -1 is created. The ownership_change mapping is not updated for the newly created NFT.
Impact
Low severity issue
Code Snippet
Tool used
Manual Review
Recommendation
Update the status of the newly created NFT, and thus removing the possibility to sidestep this lock
Funny Merlot Yeti
Low/Info
ownership_change state is not migrated to split NFTs in VotingEscrow
Summary
The
ownership_changestate is set when a NFT is transferred. However, this state is not migrated when splitting it.Vulnerability Detail
When an NFT is transferred, the
_transferFromfunction sets the block of ownership transfer as following: `ownership_change[_tokenId] = block.number; (link to code)This value is only checked by the function
balanceOfNFT:An user can bypass this check by calling the
splitfunction, where a new NFT with a value of up to_locked.amount -1is created. Theownership_changemapping is not updated for the newly created NFT.Impact
Low severity issue
Code Snippet
Tool used
Manual Review
Recommendation
Update the status of the newly created NFT, and thus removing the possibility to sidestep this lock