approve() function in the OwnershipNFT contract has incorrect authorization check #130
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-65
edited-by-warden
🤖_10_group
AI based duplicate group recommendation
sufficient quality report
This report is of sufficient quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2024-08-superposition/blob/main/pkg/sol/OwnershipNFTs.sol#L161
Vulnerability details
Impact
The current functionality of
OwnershipNFTs
smart contract allows to make approvals of the NFT positions to other addresses. The problem is that the contract is supposed to be ERC-721 compliant but its implementation of authorization checks differs from the one realized in the ERC-721 contract itself.Proof of Concept
Here's the current
approve()
behavior:https://github.com/code-423n4/2024-08-superposition/blob/main/pkg/sol/OwnershipNFTs.sol#L160-163
It calls
_requireAuthorised()
function as well as the functions for NFT transfer do for authorization purposes. But, in comparison with ERC-721 standard, it uses different implementation:https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC721/ERC721.sol#L415-417
As you can see, there are several deviations from the ERC-721 standard:
The function
requireAuthorized()
requires for thefrom
address (that is amsg.sender
who callsapprove()
) to be the owner while in the ERC-721 standard it'sauth
address.It checks whether
msg.sender
is in thegetApproved
mapping for the given tokenID while in the ERC-721 standard it's onlyisApprovedForAll()
.isApprovedForAll()
checks if theisApprovedForAll[_from][msg.sender]
statement is true (where_from
is always msg.sender) where in the implementation of the standard it checks for theisApprovedForAll(owner, auth)
whereauth
can differ from theowner
.This makes the contract non ERC-721 compatible and leads to the users not being able to give approvals of their tokenIDs to other addresses as it's required
Tools Used
Manual review.
Recommended Mitigation Steps
Change the check for authorization inside of the
approve()
function to make it ERC-721 compatible.Assessed type
Other
The text was updated successfully, but these errors were encountered: