Summary

The contract's _depositIntoEscrow and _withdrawFromEscrow functions transfer a fixed amount of 1 unit for ERC1155 tokens without verifying the actual token supply. This behavior can result in incorrect handling of tokens.

Vulnerability Details

• The vulnerability lies in the assumption that all ERC1155 tokens have a supply of 1. This assumption is embedded in the following lines of code:

• During deposit and withdrawal, the contract does not check the actual supply of the token, which can lead to mismanagement of the token's balance.

Impact

Impact:

• Fungible Tokens: If a user deposits multiple units of a fungible ERC1155 token (e.g., 100 units), the contract only handles 1 unit, potentially leading to the loss or incorrect management of the remaining 99 units.

• Non-Fungible Tokens: Non-fungible ERC1155 tokens, which should be unique and have a supply of 1, may be mishandled if the contract does not properly verify and enforce this supply.

Tools Used

Manual Review

Recommendations

• Implement checks within the _depositIntoEscrow and _withdrawFromEscrow functions to verify the actual supply of ERC1155 tokens.

• Ensure that the contract correctly handles tokens with varying supplies, distinguishing between fungible and non-fungible tokens.

• Example check to ensure the token supply is 1:

  require(IERC1155(collection).balanceOf(msg.sender, id) == 1, "Token supply must be 1");

  ​

  //Consider updating the logic to handle different cases where the supply is greater than 1, ensuring that multiple units are correctly deposited and withdrawn.

  ​