Unrevoked approvals allow NFT recovery by previous owner #160
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
H-02
primary issue
Highest quality submission among a set of duplicates
🤖_22_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-08-superposition/blob/main/pkg/sol/OwnershipNFTs.sol#L98-L107
Vulnerability details
Impact
The vulnerability arises from the fact that after a token transfer, the approval status for the token is not revoked. Specifically, the
getApproved[_tokenId]
is not updated on transfer.This allows the previous owner (or any approved address) to reclaim the NFT by using the approval mechanism to re-transfer the token back to themselves. This is critical because the new owner of the NFT may lose their asset without realizing it, leading to potential exploitation, loss of assets, and decreased trust in the platform.
Details
In the provided
approve
function, any user can approve themselves or another address for a specific token ID:Since the approval is not revoked upon transfer, the previous owner retains the ability to re-transfer the NFT. The
_requireAuthorised
function is the only check on transfer permission:Step-by-Step PoC:
owner1
) approves an address (addr2
) to transfer their token.owner1
tonewOwner
.addr2
is not revoked after the transfer.addr2
can still use their approval to transfer the NFT back to themselves, effectively recovering the NFT fromnewOwner
.Note to the judge: there is no existing tests for this specific smart contract (because it is in solidity). A coded POC for this easy-to-understand vulnerability would involve to create all deployment logic.
Tools Used
Manual code review
Recommended Mitigation Steps
To prevent this vulnerability, any existing approvals should be revoked when a token is transferred. This can be achieved by adding a line in the transfer function to clear the approval:
This line should be added to the token transfer function to ensure that any previously approved addresses cannot transfer the NFT after it has been sold or transferred to a new owner.
Assessed type
Token-Transfer
The text was updated successfully, but these errors were encountered: