Silo deposit is ERC1155 token, where address token || uint96 stem
is tokenId
. These deposits can be transferred via functions SiloFacet.transferDeposit()
and SiloFacet.transferDeposits()
.
Additionally to ERC1155's allowance Silo has custom allowances to limit number of tokens. So there are 2 allowance mechanics:
Problem is that ERC1155's allowance isApprovedForAll
is never used on transfers, code uses only custom version.
On transfers it spends allowance via LibSiloPermit._spendDepositAllowance()
:
Let's have a look on what it does. As you can see it doesn't matter if isApprovedForAll == true
Want to note that calling setApprovalForAll()
doesn't affect another allowance:
ERC1155's allowance doesn't give permission to transfer deposits contrary to EIP1155.
Manual Review
Allow deposit transfers if operator is approved via EIP1155 allowance.
Invalid as per docs https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.