Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect verification of onERC721Received callback success #26

Closed
c4-bot-5 opened this issue Sep 12, 2024 · 1 comment
Closed

Incorrect verification of onERC721Received callback success #26

c4-bot-5 opened this issue Sep 12, 2024 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-148 🤖_09_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality

Comments

@c4-bot-5
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-08-superposition/blob/main/pkg/sol/OwnershipNFTs.sol#L92-L95

Vulnerability details

Impact

Incorrect verification of onERC721Received callback can lead to the inability to transfer OwnershipNFTs to contracts.

Proof of Concept

According to the EIP-721 specification, the OwnershipNFTs.sol contract checks whether the recipient is a contract. If so, it validates the success of the transfer inside the _onTransferReceived function:

    function _onTransferReceived(
        address _sender,
        address _from,
        address _to,
        uint256 _tokenId
    ) internal {
        // only call the callback if the receiver is a contract
        if (_to.code.length == 0) return;

        bytes4 data = IERC721TokenReceiver(_to).onERC721Received(
            _sender,
            _from,
            _tokenId,

            // this is empty byte data that can be optionally passed to
            // the contract we're confirming is able to receive NFTs
            ""
        );

>>      require(
            data != IERC721TokenReceiver.onERC721Received.selector,
            "bad nft transfer received data"
        );
    }

However, instead of checking that the returned data equals the onERC721Received.selector "magic word", the contract requires the opposite. This logic error causes NFT transfers to contract addresses to revert even when they are successful.

Tools Used

Manual review

Recommended Mitigation Steps

        require(
+           data == IERC721TokenReceiver.onERC721Received.selector,
            "bad nft transfer received data"
        );

Assessed type

ERC721
@c4-bot-5 c4-bot-5 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Sep 12, 2024
c4-bot-4 added a commit that referenced this issue Sep 12, 2024
@c4-bot-4
SpicyMeatball issue #26
6fb729e
@c4-bot-13 c4-bot-13 added the 🤖_09_group AI based duplicate group recommendation label Sep 13, 2024
@howlbot-integration howlbot-integration bot added sufficient quality report This report is of sufficient quality duplicate-55 labels Sep 16, 2024
@c4-judge
Copy link
Contributor

alex-ppg marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Sep 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-148 🤖_09_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@c4-judge @c4-bot-5 @c4-bot-13