Skip to content
This repository has been archived by the owner on Jan 12, 2025. It is now read-only.

neon2835 - The _requireOnlyOperatorOrOwnerOf function in the MlumStaking contract has a vulnerability, and users can bypass the judgment #636

Closed
sherlock-admin4 opened this issue Jul 15, 2024 · 0 comments
Closed

neon2835 - The _requireOnlyOperatorOrOwnerOf function in the MlumStaking contract has a vulnerability, and users can bypass the judgment #636

sherlock-admin4 opened this issue Jul 15, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin4
Copy link

sherlock-admin4 commented Jul 15, 2024
edited
Loading

neon2835

Medium

The _requireOnlyOperatorOrOwnerOf function in the MlumStaking contract has a vulnerability, and users can bypass the judgment

Summary

The _requireOnlyOperatorOrOwnerOf function in the MlumStaking contract has a vulnerability, and anyone can bypass this function

Vulnerability Detail

The code for the _requireOnlyOperatorOrOwnerOf function is as follows:

function _requireOnlyOperatorOrOwnerOf(uint256 tokenId) internal view {
    // isApprovedOrOwner: caller has no rights on token
    require(ERC721Upgradeable._isAuthorized(msg.sender, msg.sender, tokenId), "FORBIDDEN");
}

Continue to track the ERC721Upgradeable._isAuthorized function:

    function _isAuthorized(address owner, address spender, uint256 tokenId) internal view virtual returns (bool) {
        return
            spender != address(0) &&
            (owner == spender || isApprovedForAll(owner, spender) || _getApproved(tokenId) == spender);
    }

Because in the function _requireOnlyOperatorOrOwnerOf, the first two parameters passed to the _isAuthorized function are both msg.sender, so owner equals spender inside the _isAuthorized function, so the _isAuthorized function always returns true!

Impact

The function _requireOnlyOperatorOrOwnerOf is invalid

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L140-L142

Tool used

Manual Review

Recommendation

Modify and optimize

function _requireOnlyOperatorOrOwnerOf(uint256 tokenId) internal view {
    // isApprovedOrOwner: caller has no rights on token
  require(ERC721Upgradeable._isAuthorized(_ownerOf(tokenId), msg.sender, tokenId), "FORBIDDEN");
}

Duplicate of #378
@github-actions github-actions bot added duplicate Medium A Medium severity issue. labels Jul 21, 2024
@sherlock-admin3 sherlock-admin3 added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jul 22, 2024
@sherlock-admin4 sherlock-admin4 changed the title Agreeable Rose Peacock - The _requireOnlyOperatorOrOwnerOf function in the MlumStaking contract has a vulnerability, and users can bypass the judgment neon2835 - The _requireOnlyOperatorOrOwnerOf function in the MlumStaking contract has a vulnerability, and users can bypass the judgment Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Jul 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin3 @sherlock-admin4