The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

_afterTokenTransfer() does not fully transfer ownership

0xbtk

Summary

_afterTokenTransfer() purpose is to give the ownership address to the to address. However, it misses to delete the from approvals before transferring the vault.

Vulnerability Details

Here is a simple rundown of the issue:

  • Alice is the owner of a vault (Token Id 1)

  • She approved Jim to use the vault

  • After a few days, Alice sold the vault to bob.

  • Bob is now the owner of the vault (Token Id 1). However, Alice approvals are not revoked.

  • Thus, if at some point in the future the vault get back to Alice, she won't remember || know that Jim still have access to transfer the vault.

  • Jim can now steal the vault from Alice by transferring the vault to himself.

Here is a coded PoC to demonstrate the issue:

function testApprovals() public {
// Alice is the owner of a vault (Token Id 1)
vm.prank(alice);
(/*address vault*/, uint256 tokenId) = smartVaultManagerV5.mint();
assertEq(smartVaultManagerV5.ownerOf(tokenId), alice);
// She approved Jim to use the vault
vm.prank(alice);
smartVaultManagerV5.setApprovalForAll(jim, true);
vm.warp(block.timestamp + 6 days);
// After a few days, Alice sold the vault to bob.
vm.prank(alice);
smartVaultManagerV5.transferFrom(alice, bob, tokenId);
vm.warp(block.timestamp + 13 weeks);
// At some point in the future, the vault get back to Alice
// She don't remember || know that Jim still have access to transfer the vault.
vm.prank(bob);
smartVaultManagerV5.transferFrom(bob, alice, tokenId);
// Jim will steal the vault from Alice
vm.prank(jim);
smartVaultManagerV5.transferFrom(alice, jim, tokenId);
}

Test Setup:

  • Incorporate this gist in the tests folder.

  • Execute: forge test --mt testApprovals -vvv

Impact

Previously approved users can hijack the vault from the owner.

Tools Used

Manual review

Recommendations

Reset the owner approvals before transferring the vault.

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

informational/invalid

0xbtk Submitter
over 1 year ago
hrishibhat Lead Judge
over 1 year ago
0xbtk Submitter
over 1 year ago
hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

informational/invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.