Sablier
Sablier
DeFiFoundry
53,440 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

`SablierV2Lockup::withdrawMaxAndTransfer()` can cause ERC721 token loss if `newRecepient` can't handle it

0xdemon

Summary

SablierV2Lockup::withdrawMaxAndTransfer() can cause ERC721 token loss if newRecepient cant handle it. This issue can occur because the function use _transfer instead of safeTransferFrom function for ERC721 token.

Vulnerability Details

function _transfer(address from, address to, uint256 tokenId) internal {
if (to == address(0)) {
revert ERC721InvalidReceiver(address(0));
}
address previousOwner = _update(to, tokenId, address(0));
if (previousOwner == address(0)) {
revert ERC721NonexistentToken(tokenId);
} else if (previousOwner != from) {
revert ERC721IncorrectOwner(from, tokenId, previousOwner);
}
}

As can be seen above, the _transfer() function does not trigger the _checkOnERC721Received() which functions to check whether the recipient can handle the ERC721 or not.

As OpenZeppelin’s documentation stated :

Note that the caller is responsible to confirm that the recipient is capable of receiving ERC721 or else they may be permanently lost. Usage of safeTransferFrom prevents loss, though the caller must understand this adds an external call which potentially creates a reentrancy vulnerability.

Impact

ERC721 token loss if newRecepient can’t handle it

Tools Used

Manual Review

Recommended Mitigation

Use safeTransferFrom() when sending out the ERC721 token

Updates

Lead Judging Commences

inallhonesty Lead Judge
over 1 year ago
inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Info/Gas/Invalid as per Docs

https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.