Skip to content

Incorrect onERC721Received Selector Check in _onTransferReceived() #163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
howlbot-integration bot opened this issue Sep 16, 2024 · 1 comment
Closed

Incorrect onERC721Received Selector Check in _onTransferReceived() #163

howlbot-integration bot opened this issue Sep 16, 2024 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-148 🤖_09_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality

Comments

@howlbot-integration
Copy link

Lines of code

https://github.com/code-423n4/2024-08-superposition/blob/4528c9d2dbe1550d2660dac903a8246076044905/pkg/sol/OwnershipNFTs.sol#L92-L95

Vulnerability details

Impact

The incorrect check in _onTransferReceived() prevents NFTs from being transferred to contracts that correctly implement the ERC721 token receiver interface.

Proof of Concept

The _onTransferReceived() function is designed to ensure that when an NFT is transferred to a contract, the recipient contract correctly implements the onERC721Received function. This function should return a specific selector to confirm that it can handle ERC721 tokens.

    // if the callback doesn't return the selector, revert!
    function _onTransferReceived(
        address _sender,
        address _from,
        address _to,
        uint256 _tokenId
    ) internal {
        // only call the callback if the receiver is a contract
        if (_to.code.length == 0) return;

        bytes4 data = IERC721TokenReceiver(_to).onERC721Received(
            _sender,
            _from,
            _tokenId,

            // this is empty byte data that can be optionally passed to
            // the contract we're confirming is able to receive NFTs
            ""
        );

        require(
            data != IERC721TokenReceiver.onERC721Received.selector,
            "bad nft transfer received data"
        );
    }

However, the current implementation incorrectly checks for inequality rather than equality.

        require(
            data != IERC721TokenReceiver.onERC721Received.selector,
            "bad nft transfer received data"
        );

This means that the function will revert if the recipient contract correctly returns the expected selector, which is the opposite of the intended behavior. As a result, any contract that correctly implements the onERC721Received function will be unable to receive NFTs from this contract.

Tools Used

Manual Review

Recommended Mitigation Steps

The require statement should be corrected to check for equality, ensuring that the recipient contract's onERC721Received function returns the expected selector.

        require(
-           data != IERC721TokenReceiver.onERC721Received.selector,
+           data == IERC721TokenReceiver.onERC721Received.selector, 
            "bad nft transfer received data"
        );

Assessed type

Invalid Validation
@howlbot-integration howlbot-integration bot added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value 🤖_09_group AI based duplicate group recommendation bug Something isn't working duplicate-55 sufficient quality report This report is of sufficient quality labels Sep 16, 2024
howlbot-integration bot added a commit that referenced this issue Sep 16, 2024
@howlbot-integration
Tigerfrake issue #163
c940277
@c4-judge c4-judge added duplicate-148 satisfactory satisfies C4 submission criteria; eligible for awards and removed duplicate-55 labels Sep 23, 2024
@c4-judge
Copy link
Contributor

alex-ppg marked the issue as satisfactory

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-148 🤖_09_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@c4-judge