Missing Authorization Check for auth Address in _update Function
Summary
The _update function in the AccountNFT contract does not verify if the auth address is authorized to transfer the NFT. This could allow unauthorized transfers of NFTs if an attacker gains access to the _update function.
Vulnerability Details
The _update function is responsible for updating the ownership of an NFT and notifying the IPerpsEngine contract about the transfer. However, it does not check if the auth address provided as an argument is authorized to initiate the transfer.
https://github.com/Cyfrin/2024-07-zaros/blob/main/src/account-nft/AccountNFT.sol#L23-L28
An attacker could potentially call the _update function directly with an arbitrary auth address and transfer NFTs without the owner's permission.
Impact
Attackers could exploit this vulnerability to transfer NFTs without the owner's consent, leading to the loss of valuable assets.
Tools Used
Manual review
Recommendations
Add logic to the _update function to verify if the auth address is authorized to transfer the NFT. This could involve checking if the auth address is the owner of the NFT, has been approved by the owner, or is a trusted operator.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.