manual ERC721 transfers from being claimed by anyone
Summary:
If someone manually transfers an ERC721 token to the contract, it can be claimed by anyone since the contract does not verify the original depositor.
Vulnerability Details:
Deposit Function:
The _depositIntoEscrow function records the depositor’s address in the _escrow mapping.
However, if a token is manually transferred to the contract without using this function, the _escrow mapping is not updated.
Withdraw Function:
The _withdrawFromEscrow function checks if the token is in escrow but does not verify the original depositor.
This means anyone could potentially call the withdraw function and claim ownership of manually transferred tokens.
Example Scenario:
User A manually transfers an ERC721 token to the contract.
The _escrow mapping is not updated.
User B calls the _withdrawFromEscrow function and successfully withdraws the token, even though they did not originally deposit it.
Impact:
Since the contract does not verify the original depositor when withdrawing tokens, anyone can claim ownership of a token that was manually transferred to the contract. This effectively allows malicious actors to steal tokens that do not belong to them.
Tools Used:
Manual review
Recommendations:
Ensure that only tokens deposited through the _depositIntoEscrow function can be withdrawn.
Implement checks to verify the original depositor before allowing withdrawals.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.