If the interfaceId does not match type IMembershipERC1155, the function proceeds to call supportsInterface() by invoking the super keyword. Since AccessControlUpgradeable is the more derived contract, it will call supportsInterface on the AccessControlUpgradeable contract.

The supportsInterface() function of AccessControlUpgradeable checks if the interfaceId matches IAccessControl, otherwise it will again proceed to call supportsInterface() invoking the super keyword.

https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/blob/master/contracts/access/AccessControlUpgradeable.sol#L90

function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool) {

return interfaceId == type(IAccessControl).interfaceId || super.supportsInterface(interfaceId);

}

AccessControlUpgradeable inherits ERC165Upgradeable, so it will call the supportsInterface() function for that contract:

https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/blob/master/contracts/utils/introspection/ERC165Upgradeable.sol#L30-L32

function supportsInterface(bytes4 interfaceId) public view virtual returns (bool) {

return interfaceId == type(IERC165).interfaceId;

}

We can see that the supportsInterface() function is never invoked for ERC1155Upgradeable, therefore the following function is never called:

https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/blob/master/contracts/token/ERC1155/ERC1155Upgradeable.sol#L58

function supportsInterface(bytes4 interfaceId) public view virtual override(ERC165Upgradeable, IERC165) returns (bool) {

return

interfaceId == type(IERC1155).interfaceId ||

interfaceId == type(IERC1155MetadataURI).interfaceId ||

super.supportsInterface(interfaceId);

}

Note that this issue also applies to OWPIdentity.sol, where the supports interface of AccessControl not called (since ERC1155Supply inherits ERC1155, it will call that first) https://github.com/Cyfrin/2024-11-one-world/blob/main/contracts/OWPIdentity.sol#L104

Impact

The contract is meant to be a strict implementation of ERC1155, but it does not implement the mandatory ERC1155.supportsInterface() function.

Protocols that integrate with The One World Project may assume that it is ERC1155 compliant and users may incorrectly assume that IERC1155 or IERC1155MetadataURI interfaces are not supported, which can lead to a range of issues for relevant parties. This will also damage the brand of the protocol and limit market growth.

Reference

Here is a similar issue from a past contest: https://github.com/sherlock-audit/2024-04-titles-judging/issues/287

Recommendations

Ensure that supportsInterface() is also called for ERC1155Upgradeable within MembershipERC1155. Apply the following changes to MembershipERC1155, and consider making similar changes to OWPIdentity.sol

function supportsInterface(bytes4 interfaceId)

public view override(ERC1155Upgradeable, AccessControlUpgradeable) returns (bool) {

return

interfaceId == type(IMembershipERC1155).interfaceId ||

- super.supportsInterface(interfaceId);

+ AccessControlUpgradeable.supportsInterface(interfaceId) ||

+ ERC1155Upgradeable.supportsInterface(interfaceId);

}

Updates

Lead Judging Commences

0xbrivan2 Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Appeal created

crypticdefense Submitter

about 1 year ago

0xbrivan2 Lead Judge

about 1 year ago

crypticdefense Submitter

about 1 year ago

0xbrivan2 Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

541

28 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!