Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OwnershipNFTs do not comply with ERC721, breaking composability #188

Open
c4-bot-2 opened this issue Sep 13, 2024 · 1 comment
Open

OwnershipNFTs do not comply with ERC721, breaking composability #188

c4-bot-2 opened this issue Sep 13, 2024 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working 🤖_56_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality

Comments

@c4-bot-2
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-08-superposition/blob/main/pkg/sol/OwnershipNFTs.sol#L13

Vulnerability details

OwnershipNFTs within the contract deviate from the ERC721 standard, leading to issues with composability and interoperability. Following are the missing things which are mandated by the ERC721 specification:

  • transfer() Function: The ERC721 standard specifies that a transfer to address(0) must revert, as it would destroy the token and lead to issues with tracking asset ownership. Failing to handle this can break the lifecycle of the NFT and introduce bugs or loss of tokens.

  • Missing Events: Transfer and approval events are critical for tracking changes in ownership and enabling third-party systems to respond to changes in asset state.

  • balanceOf() Function: This function should revert if queried for an invalid owner address (address(0)).

  • ownerOf() Function: This function should revert if called with a token ID not owned by any address or if the owner is address(0).

  • getApproved() Function: The function should throw an error if the queried _tokenId is not valid (i.e., the token does not exist).

Impact

The non-compliance with ERC721 results in Breaking Composability and also

  • Potential Loss of Funds: Since tokens can be transferred to address(0) without reverts, this could result in permanent loss of NFTs. (This could be user error but here it is protocol mistake for not adhering the standard).

  • Lack of Traceability: Missing events make it difficult to track token transfers and approvals, which can hamper monitoring systems monitoring malicious activities.

Proof of Concept

https://github.com/code-423n4/2024-08-superposition/blob/main/pkg/sol/OwnershipNFTs.sol#L13

Tools Used

Manual Review

Recommended Mitigation Steps

Align OwnershipNFT contract with the ERC721 standard.

Assessed type

ERC721
@c4-bot-2 c4-bot-2 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Sep 13, 2024
c4-bot-8 added a commit that referenced this issue Sep 13, 2024
@c4-bot-8
Nikki issue #188
51d96dc
@c4-bot-12 c4-bot-12 added the 🤖_56_group AI based duplicate group recommendation label Sep 13, 2024
howlbot-integration bot added a commit that referenced this issue Sep 16, 2024
@howlbot-integration
Nikki update issue #188
82f6771
@howlbot-integration howlbot-integration bot added the sufficient quality report This report is of sufficient quality label Sep 16, 2024
@af-afk
Copy link

af-afk commented Sep 23, 2024

fluidity-money/long.so@cb98ea6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working 🤖_56_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@af-afk @c4-bot-2 @c4-bot-12