Vault transferred to address(0) will become bricked forever
Summary
If a vault is transferred to address(0), it will become bricked forever as contract logic allows transfers to 0 addresses, but after that no ownership of the vault can be granted to the new owner.
Vulnerability Details
In SmartVaultManagerV5.sol, _afterTokenTransfer is used when a transfer of a vault is initiated by manager role in the off-scope contract SmartVaultIndex.
Let's look at the code in smartVaultIndex:
Basically removeTokenId just removes the vault from the from address and pushes it to the to address. Back again in _afterTokenTransfer
There is an if statement:
if (address(_from) != address(0)) ISmartVault(smartVaultIndex.getVaultAddress(_tokenId)).setOwner(_to); which requires the from address to be != 0.
Which in our first case it will pass, then we set the to address to address(0) since it's allowed to do so, however the next time we try to transfer the ownership will fail since the from will be address(0) but the vault will still be counted in the tokenIds of the new to address.
Impact
Once transferred to address(0) and trying to transfer to a new owner, the vault will be added in his tokenIds but he won't be able to get ownership of it and become useless as almost no functionality can be invoked.
Tools Used
Manual Audit
Recommendations
Restrict address(0) transfers
Lead Judging Commences
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.