Unsafe token transfers in _depositIntoEscrow()
Summary
The _depositIntoEscrow() function uses the transferFrom() directly from the ERC721 which is consodered unsafe, not using safeTransferFrom while depositing tokens to the escrow in a bridge contract can lead to security issues due to non-compliance with the ERC721 standard.
Vulnerability Details
The safeTransferFrom method in ERC721 ensures that the receiving contract is prepared to handle ERC721 tokens, which prevents tokens from being locked in contracts that do not recognize them. Omitting this call can result in tokens being sent to contracts without proper handling mechanisms.
Impact
Not using the safeTransferFrom() can result in irreversible loss of tokens, as they may become stuck in contracts that cannot interact with them.
Tools Used
Manual code review
Recommendations
It is advised to update the token transfer logic to include safeTransferFrom instead of a regular transfer method.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Appeal created
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.