Summary

Incorrect override in the _update function, likely intended to override _beforeTokenTransfer instead. This may lead to unexpected behavior during token transfers.

Finding Description

In the OWPIdentity contract, there is an attempt to override a function named _update, which does not exist in ERC1155 or ERC1155Supply. This appears to be a mistaken override of the _beforeTokenTransfer function, which is typically used in ERC1155-based contracts to manage token transfers and enforce transfer restrictions. Failing to properly override _beforeTokenTransfer means the intended restrictions on token transferability are not enforced, potentially allowing unauthorized transfers if other code relies on this check.

The issue affects the contract’s security by potentially breaking the intended non-transferability guarantee of the tokens. An attacker could bypass the restriction on transfers if the logic in _beforeTokenTransfer is not correctly implemented.

Vulnerability Details

In the current code:

This function aims to prevent transfers by ensuring the from or to address is zero (minting or burning). However, _update does not override any function in ERC1155 or ERC1155Supply, so this logic is never executed.

Impact

The impact is categorized as High because it breaks the intended restriction on transferability, allowing tokens to be transferred in unintended ways. This could compromise the integrity of the token’s purpose if transferability is critical to its function within the application.

Proof of Concept

Attempting to transfer tokens with a non-zero from or to address should fail, but due to the incorrect override, this transfer check is bypassed. Thus, a transfer would proceed when it should not.

Example:

Recommendations

Replace the _update function with an override of _beforeTokenTransfer, matching its correct signature. This ensures the restriction is applied during token transfers.

Fixed Code:

File Location

OWPIdentity.sol