Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use _safeTransfer when transferring NFTs #65

Open
code423n4 opened this issue Aug 25, 2021 · 3 comments
Open

Use _safeTransfer when transferring NFTs #65

code423n4 opened this issue Aug 25, 2021 · 3 comments
Labels
1 (Low Risk) bug Something isn't working sponsor disputed

Comments

@code423n4
Copy link
Contributor

Handle

shw

Vulnerability details

Impact

The transferNft function of RCNftHubL2 is called when transferring the card to the final winner. However, this function does not check whether the recipient is aware of the ERC721 protocol and calls _transfer directly. If the recipient is a contract not aware of incoming NFTs, then the transferred NFT would be locked in the recipient forever.

Proof of Concept

Referenced code:
RCNftHubL2.sol#L135

Recommended Mitigation Steps

Use the _safeTransfer function instead, which checks if the recipient contract implements the onERC721Received interface to avoid loss of NFTs.
@code423n4 code423n4 added 1 (Low Risk) bug Something isn't working labels Aug 25, 2021
code423n4 added a commit that referenced this issue Aug 25, 2021
@code423n4
shw issue #65
ee02f60
@Splidge
Copy link
Collaborator

Splidge commented Aug 26, 2021

This transfer function is just for the market to move the NFTs while the market is operational, during this phase it doesn't matter if the NFT is given to a non-compliant contract as the market is in control of moving the NFT and will simply give it to the next user that makes a rental.
Using _safeTransfer would be dangerous as it would give an attacker the opportunity to take part in a market via a contract that is not ERC721 compliant, when the market attempts to pass ownership to this contract the transfer would revert and the market would become locked.

@0xean
Copy link
Collaborator

0xean commented Sep 2, 2021

claimCard in RCMarket.sol also calls the transfer method to claim the card, which could result in the situation outlined by the warden.

@Splidge
Copy link
Collaborator

Splidge commented Sep 2, 2021
edited
Loading

Ahh sorry, I missed the key part in the wardens impact "when transferring the card to the final winner".

I still think this isn't an issue as if the destination is a non-compliant contract, when using _safeTransfer the claimCard call would revert. The NFT is permanently stuck on either the market or on the non-compliant contract.
At least the person who wrote the contract, funded it, used it to place bids, win the NFT and make the claimCard call would still get it transferred to their contract to use as a trophy cabinet of sorts. Maybe that person didn't implement onERC721Received?
This check would be too little too late.

Maybe we could check when the first rental is made that the sender is eligible? Although that would deviate slightly from the standard as onERC721Received is supposed to be called after the transfer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1 (Low Risk) bug Something isn't working sponsor disputed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@0xean @Splidge @code423n4