-
Notifications
You must be signed in to change notification settings - Fork 0
cergyk - A claiming contract not implementing ERC721Receiver can be made to revert by an NFT funder #132
Comments
Escalate for 31 USDC. This is not a duplicate of #261 because Ongoing bounty does not distribute NFT rewards, so function _transferNft(
address _tokenAddress,
address _payoutAddress,
uint256 _tokenId
) internal virtual {
IERC721Upgradeable nft = IERC721Upgradeable(_tokenAddress);
nft.safeTransferFrom(address(this), _payoutAddress, _tokenId);
}
Anyway, I think this issue should be low because if this situation happens, admins can set a new payout address which is EOA. |
You've created a valid escalation for 31 USDC! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
Escalation accepted Not a duplicate of #261 and a low issue |
This issue's escalations have been accepted! Contestants' payouts and scores will be updated according to the changes made on this issue. |
cergyk
medium
A claiming contract not implementing ERC721Receiver can be made to revert by an NFT funder
Summary
On TieredFixedBounty and TieredPercentageBounty, any user can associate a whitelisted NFT reward with the paymentToken reward. Unfortunately this may revert the whole payment if the receiving address is a contract but not an ERC721Receiver.
Vulnerability Detail
If we take the simpler example of an atomic bounty:
https://github.com/sherlock-audit/2023-02-openq/blob/main/contracts/ClaimManager/Implementations/ClaimManagerV1.sol#L123-L166
A malicious user could detect that the closer is trying to claim the bounty with a contract which is not an ERC721Receiver and block his payment by funding the bounty with an NFT.
Impact
Bounty admin has to take control and either:
Code Snippet
Tool used
Manual Review
Recommendation
Do not fail on transfer of NFTs (use try/catch), eventually the nft depositor can have his NFT refunded.
Please note that this scenario is different from #1, since in this case the nft stays in the contract. So the grieving described here should be possible even if #1 is fixed and
nftDeposits
is updated correctly.The text was updated successfully, but these errors were encountered: