Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lack of ERC1155 Token Withdrawal Functionality in VirtualAccount Contract #408

Open
c4-submissions opened this issue Oct 4, 2023 · 8 comments
Open

Lack of ERC1155 Token Withdrawal Functionality in VirtualAccount Contract #408

c4-submissions opened this issue Oct 4, 2023 · 8 comments
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue edited-by-warden grade-a primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue sufficient quality report This report is of sufficient quality

Comments

@c4-submissions
Copy link
Contributor

c4-submissions commented Oct 4, 2023
edited by code4rena-admin

Lines of code

https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/VirtualAccount.sol#L17

Vulnerability details

Summary

The issue at hand pertains to the absence of functionality for users to withdraw ERC1155 tokens from the VirtualAccount contract. While the contract correctly implements the onERC1155Received and onERC1155BatchReceived functions, enabling it to receive ERC1155 tokens, it lacks a corresponding withdrawal mechanism for these tokens. In contrast, other token types, such as native Ether, ERC20, and ERC721 tokens, have dedicated withdrawal functions in the contract (withdrawNative, withdrawERC20, and withdrawERC721). However, ERC1155 tokens have not been considered in the withdrawal process.

Impact

This limitation means that users who have deposited ERC1155 tokens into their virtual accounts have no means to retrieve them. The absence of this functionality can be highly inconvenient for users who may need to manage and utilize these ERC1155 tokens on other platforms or within other contracts. Consequently, users may perceive this limitation as a significant drawback, negatively affecting the overall utility and user experience of the contract.

Tools Used

Manual

Recommended Mitigation Steps

To address this issue and empower users to withdraw ERC1155 tokens from their virtual accounts, it is recommended to implement a dedicated withdrawal function specifically designed for ERC1155 tokens.
Below is a suggested solution for such a function:

function withdrawERC1155(address _token, uint256[] memory _ids, uint256[] memory _amounts) external requiresApprovedCaller {
    require(_ids.length == _amounts.length, "Array lengths do not match");
    IERC1155(_token).safeBatchTransferFrom(address(this), msg.sender, _ids, _amounts, "");
}

By implementing this proposed solution, users will have the capability to withdraw ERC1155 tokens, enhancing the versatility and user-friendliness of the contract.

Assessed type

DoS
@c4-submissions c4-submissions added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Oct 4, 2023
c4-submissions added a commit that referenced this issue Oct 4, 2023
@c4-submissions
33BYTEZZZ issue #408
45f57ce
@code4rena-admin code4rena-admin changed the title Lack of ERC1155 Token Withdrawal Functionality in VirtualAccount Contract Lack of ERC1155 Token Withdrawal Functionality in VirtualAccount Contract Oct 4, 2023
@c4-pre-sort
Copy link

0xA5DF marked the issue as primary issue

@c4-pre-sort c4-pre-sort added the primary issue Highest quality submission among a set of duplicates label Oct 7, 2023
@c4-pre-sort c4-pre-sort mentioned this issue Oct 7, 2023
Open
@c4-pre-sort
Copy link

0xA5DF marked the issue as sufficient quality report

@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Oct 8, 2023
This was referenced Oct 9, 2023
Open
Open
Open
Open
Open
Open
This was referenced Oct 15, 2023
Open
Open
@c4-sponsor c4-sponsor added the disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) label Oct 16, 2023
@c4-sponsor
Copy link

0xLightt marked the issue as disagree with severity

@c4-sponsor
Copy link

0xLightt (sponsor) disputed

@c4-sponsor c4-sponsor added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label Oct 16, 2023
@0xLightt
Copy link

0xLightt commented Oct 16, 2023
edited

Funds are never at risk without it. Users can always use call() to interact with funds. Adding a withdrawERC1155 can improve UX, but there is no issue or any kind of risk if it does not exist.
The reason behind the dispute is that this and duplicate findings state that virtual accounts have no means to retrieve them, which is incorrect.

@alcueca
Copy link

alcueca commented Oct 24, 2023

Given that users can retrieve their funds (and that MaiaDAO can implement a frontend to make it easy), this is QA

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Oct 24, 2023
@c4-judge
Copy link
Contributor

alcueca changed the severity to QA (Quality Assurance)

@c4-judge
Copy link
Contributor

alcueca marked the issue as grade-a

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) downgraded by judge Judge downgraded the risk level of this issue edited-by-warden grade-a primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@alcueca @c4-judge @c4-sponsor @0xLightt @c4-pre-sort @c4-submissions @code4rena-admin