Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The CallyNft contract does not override the transferFrom function, resulting in an underflow in the transferFrom function #2

Closed
code423n4 opened this issue May 10, 2022 · 1 comment
Closed

The CallyNft contract does not override the transferFrom function, resulting in an underflow in the transferFrom function #2

code423n4 opened this issue May 10, 2022 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working withdrawn by warden Special case: warden has withdrawn this submission and it can be ignored

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/CallyNft.sol#L12-L12

Vulnerability details

Impact

The CallyNft contract inherits from the ERC721 contract and removes the modification to _balanceOf to save gas.
The CallyNft contract overrides the _mint and _burn functions, but does not override the transferFrom function, which causes an underflow when the user calls the transferFrom and safeTransferFrom functions of the CallyNft contract

Proof of Concept

https://github.com/code-423n4/2022-05-cally/blob/1849f9ee12434038aa80753266ce6a2f2b082c59/contracts/src/CallyNft.sol#L12-L12

Tools Used

None

Recommended Mitigation Steps

Override transferFrom function

    function transferFrom(
        address from,
        address to,
        uint256 id
    ) public virtual {
        require(from == _ownerOf[id], "WRONG_FROM");

        require(to != address(0), "INVALID_RECIPIENT");

        require(
            msg.sender == from || isApprovedForAll[from][msg.sender] || msg.sender == getApproved[id],
            "NOT_AUTHORIZED"
        );
        _ownerOf[id] = to;

        delete getApproved[id];

        emit Transfer(from, to, id);
    }
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels May 10, 2022
code423n4 added a commit that referenced this issue May 10, 2022
@code423n4
cccz issue #2
7967f18
@itsmetechjay itsmetechjay added the withdrawn by warden Special case: warden has withdrawn this submission and it can be ignored label May 11, 2022
@itsmetechjay
Copy link
Contributor

Withdrawn by warden cccz per help desk.

This was referenced May 12, 2022
Closed
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working withdrawn by warden Special case: warden has withdrawn this submission and it can be ignored
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@code423n4 @itsmetechjay