Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgraded Q -> 2 from #169 [1727128613860] #170

Closed
c4-judge opened this issue Sep 23, 2024 · 2 comments
Closed

Upgraded Q -> 2 from #169 [1727128613860] #170

c4-judge opened this issue Sep 23, 2024 · 2 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value duplicate-65 unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@c4-judge
Copy link
Contributor

Judge has assessed an item in Issue #169 as 2 risk. The relevant finding follows:

2. OwnershipNFTs's approve function allows approved users to also perform approvals.

  • Lines of code

https://github.com/code-423n4/2024-08-superposition/blob/4528c9d2dbe1550d2660dac903a8246076044905/pkg/sol/OwnershipNFTs.sol#L160-L163

Impact

OwnershipNFTs's approve function allows approved users to also perform approvals, which can lead to approval loss.

The approve function checks if msg.sender is authorized.

    function approve(address _approved, uint256 _tokenId) external payable {
        _requireAuthorised(msg.sender, _tokenId);
        getApproved[_tokenId] = _approved;
    }

This is enforced by the _requireAuthorised which ensures that caller is either owner, owner's operator or approved to spend the token.

    function _requireAuthorised(address _from, uint256 _tokenId) internal view {
        // revert if the sender is not authorised or the owner
        bool isAllowed =
            msg.sender == _from ||
            isApprovedForAll[_from][msg.sender] ||
            msg.sender == getApproved[_tokenId];

        require(isAllowed, "not allowed");
        require(ownerOf(_tokenId) == _from, "_from is not the owner!");
    }

This is an issue because any user that had be approved to spend the token risks losing their approval after calling the approve function.

Recommended Mitigation Steps

Recommend limiting the approval to the owner and operator instead.
@c4-judge c4-judge added the 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value label Sep 23, 2024
c4-judge added a commit that referenced this issue Sep 23, 2024
@c4-judge
ZanyBonzy issue #170 (File generated from upgraded finding by judge a…
39d4282 
…lex-ppg)
@c4-judge
Copy link
Contributor Author

alex-ppg marked the issue as duplicate of #65

@c4-judge
Copy link
Contributor Author

alex-ppg marked the issue as unsatisfactory:
Invalid

@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Sep 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value duplicate-65 unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@c4-judge