Starknet Auction
First Flight #26
Beginner FriendlyNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Invalid

Lack of Validation for ERC20 and ERC721 Addresses in Constructor

0xserpent

Summary

The constructor function does not validate whether the addresses provided for the ERC20 and ERC721 tokens are valid contracts. This could lead to the contract interacting with incorrect or malicious token contracts.

Vulnerability Details

In the constructor:

fn constructor(ref self: ContractState, erc20_token: ContractAddress, erc721_token: ContractAddress, _nft_id: u64) {
self.erc20_token.write(erc20_token);
self.erc721_token.write(erc721_token);
self.nft_id.write(_nft_id);
self.nft_owner.write(caller);
}

There is no validation to ensure that erc20_token and erc721_token are actual token contracts. A malicious actor could provide addresses that don’t conform to the expected interfaces, potentially leading to undefined behavior or contract malfunction.

Impact

If invalid or malicious contract addresses are provided, the auction could fail to properly transfer tokens (either bids or NFTs), leading to loss of assets or broken functionality.

Tools Used

  • Manual code review

Recommendations

  • Add checks to validate that the provided ERC20 and ERC721 addresses implement the expected token standards. For example, use a function that checks if these addresses respond to the standard ERC20/ERC721 interface methods.

  • You could consider adding a try/catch mechanism (if supported) or use a function that verifies token interfaces before assigning the contract addresses.

Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.