You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the function awardExternalERC721 of contract PrizePool, when awarding external ERC721 tokens to the winners, the transferFrom keyword is used instead of safeTransferFrom. If any winner is a contract and is not aware of incoming ERC721 tokens, the sent tokens could be locked.
Consider changing transferFrom to safeTransferFrom at line 602. However, it could introduce a DoS attack vector if any winner maliciously rejects the received ERC721 tokens to make the others unable to get their awards. Possible mitigations are to use a try/catch statement to handle error cases separately or provide a function for the pool owner to remove malicious winners manually if this happens.
The text was updated successfully, but these errors were encountered:
This issue poses no risk to the Prize Pool, so it's more of a 1 (Low Risk IMO.
This is just about triggering a callback on the ERC721 recipient. We omitted it originally because we didn't want a revert on the callback to DoS the prize pool.
However, to respect the interface it makes sense to implement it fully. That being said, if it does throw we must ignore it to prevent DoS attacks.
Handle
shw
Vulnerability details
Impact
In the function
awardExternalERC721
of contractPrizePool
, when awarding external ERC721 tokens to the winners, thetransferFrom
keyword is used instead ofsafeTransferFrom
. If any winner is a contract and is not aware of incoming ERC721 tokens, the sent tokens could be locked.Proof of Concept
Referenced code:
PrizePool.sol#L602
Recommended Mitigation Steps
Consider changing
transferFrom
tosafeTransferFrom
at line 602. However, it could introduce a DoS attack vector if any winner maliciously rejects the received ERC721 tokens to make the others unable to get their awards. Possible mitigations are to use atry/catch
statement to handle error cases separately or provide a function for the pool owner to remove malicious winners manually if this happens.The text was updated successfully, but these errors were encountered: