Potential Token Loss Due to Unchecked ERC721 Transfer in Escrow Deposit
Summary
The _depositIntoEscrow function in the Starklane escrow contract does not verify the success of ERC721 token transfers, which could lead to tokens being lost or the escrow state becoming inconsistent.
Vulnerability Details
In the _depositIntoEscrow function (lines 26-53), the ERC721 token transfer is performed without checking its return value:
The transferFrom function of some ERC721 implementations might not revert on failure but instead return a boolean indicating the success of the operation. By not checking this return value, the contract assumes the transfer was successful and updates the escrow state regardless of the actual outcome.
Impact
This vulnerability could lead to:
Loss of user tokens if the transfer fails silently
Inconsistent escrow state where the contract believes it holds tokens it doesn't actually possess
Potential blocking of the bridging process for affected tokens
Financial losses for users who believe their tokens are safely escrowed
The severity is high due to the potential for direct financial loss and system state inconsistency.
Tools Used
Manual code review
Recommendations
Use OpenZeppelin's safeTransferFrom function instead of transferFrom for ERC721 tokens:
or instead you can decide to still use transferFrom but check the return value.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.