NFTBridge
60,000 USDC
View results
Submission Details
Severity: low
Invalid

Unsafe token transfers in _depositIntoEscrow()

Summary

The _depositIntoEscrow() function uses the transferFrom() directly from the ERC721 which is consodered unsafe, not using safeTransferFrom while depositing tokens to the escrow in a bridge contract can lead to security issues due to non-compliance with the ERC721 standard.

Vulnerability Details

The safeTransferFrom method in ERC721 ensures that the receiving contract is prepared to handle ERC721 tokens, which prevents tokens from being locked in contracts that do not recognize them. Omitting this call can result in tokens being sent to contracts without proper handling mechanisms.

Impact

Not using the safeTransferFrom() can result in irreversible loss of tokens, as they may become stuck in contracts that cannot interact with them.

Tools Used

Manual code review

Recommendations

It is advised to update the token transfer logic to include safeTransferFrom instead of a regular transfer method.

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Appeal created

kaifahmed Submitter
9 months ago
n0kto Lead Judge
9 months ago
n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational / Gas

Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.