NFTs will be locked if bridge to contracts without `onERC721Received` implementation
Summary
If a contract does not implement the onERC721Received, it cannot withdraw escrowed NFTs due to ERC721::safeTransferFrom(), resulting in NFTs being locked.
Vulnerability Details
The Escrow::_withdrawFromEscrow() function withdraws NFTs using the safeTransferFrom() method, which requires the receiving contract to implement the onERC721Received interface. If the receiving contract does not implement this interface, the transfer will fail, resulting in the NFTs being locked:
This issue can occur in the following cases:
A user can transfer NFTs to a contract that does not implement
onERC721Receivedusing theERC721::transferFrom()method. If this contract then attempts to bridge NFTs and subsequently cancels the request, thecancelRequest()transaction will revert, causing the NFTs to be locked.If NFTs are bridged from L2 to a L1 contract that does not implement
onERC721Received, the NFTs cannot be withdrawn, leading to them being permanently locked.
Impact
NFTs being locked.
Tools Used
vscode
Recommendations
Utilizing ERC721::transferFrom() to transfer NFTs instead.
Lead Judging Commences
finding-withdraw-safeTransferFrom-to-no-onERC721Received-will-revert
Impact: High, NFT will be stuck in L2 bridge. Likelyhood: Very low, sending NFT to a contract not implementing that function would almost be a user error.
Appeal created
finding-withdraw-safeTransferFrom-to-no-onERC721Received-will-revert
Impact: High, NFT will be stuck in L2 bridge. Likelyhood: Very low, sending NFT to a contract not implementing that function would almost be a user error.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.