QA Report #119
Labels
bug
Something isn't working
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Comments
code423n4
added
bug
|
this can be bumped to medium severity: Checking whether the receiver is capable of holding ERC721; #38 |
|
Moved receiver check to #317 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The user may accidently set the
durationDaysto be max of uint8 (255 days) and has his asset locked up for a very long time if the option's buyer does not exercise the option. I think that it would be in the best interest of the user if the locked-up period is fixed to a reasonable period like 30 days and the contract's owner should cleary communicate about the risk of user's asset unintentionally getting locked up if the option is not exercised.transferOwnership()Transfering ownership should be two step processes. The contract relies on openzeppelin's ownable which maybe problematic. Even when the function checks for zero address, it overlooks the case that the current owner may accidently input wrong address. To add additional security layer, the contract should add the
acceptOwnership()that the nominated account will have to callThe contract uses
safeTransfer()for ERC20 but usestransferFrom()for ERC721 in bothexercise()andwithdraw()which may lead to the loss of ERC721 if the receiving contract does not haveonERC721Received(). To prevent this unintended circumstance, the contract should replace this function withsafeTransferFrom()for ERC721 to check whether the receiving contract is IERC721Receiver.The text was updated successfully, but these errors were encountered: