Using `transfer_from` may cause the user's NFT to be frozen in a contract that does not support ERC721
Summary
There are certain smart contracts that do not support ERC721, using transfer_from() may result in the NFT being sent to such contracts.
Vulnerability Details
inside bridge contract in function withdraw_auto_from_l1 the contract use transfer_from which it unsafe
OpenZeppelin’s documentation discourages the use of
transfer_from
WARNING: This method may lead to the loss of tokens if
tois not aware of the ERC721
Impact
While unlikely because the recipient is the function caller, there is the potential loss of NFTs should the recipient is unable to handle the sent ERC721s.
Tools Used
Manual Review
Recommendations
Use safe_transfer_from when sending out the NFT
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Appeal created
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.