Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

``supportsInterface()`` function is not implemented correctly.

0xsandy

Summary

supportsInterface() function is not implemented correctly due to incorrect inheritance order.

Vulnerability Details

In solidity, Contracts can inherit from multiple parent contracts but when a function is called that is defined multiple times in different contracts, parent contracts are searched from right to left, and in depth-first manner.

In our case:

./MembershipERC1155.sol
contract MembershipERC1155 is ERC1155Upgradeable, AccessControlUpgradeable, IMembershipERC1155 {
}
./MembershipERC1155.sol
function supportsInterface(bytes4 interfaceId)
public view override(ERC1155Upgradeable, AccessControlUpgradeable) returns (bool) {
return
interfaceId == type(IMembershipERC1155).interfaceId ||
super.supportsInterface(interfaceId);
}

In our case, MembershipERC1155 contract inherits from ERC1155Upgradeable and AccessControlUpgradeable and the supportsInterface() function also overrides them in the same order i.e (ERC1155Upgradeable, AccessControlUpgradeable).

Now, when the supportsInterface() function is called,

return
interfaceId == type(IMembershipERC1155).interfaceId ||
super.supportsInterface(interfaceId);

it checks either type(IMembershipERC1155).interfaceId or super.supportsInterface(interfaceId). The super.supportsInterface(interfaceId) actually calls the supportsInterface() function of AccessControlUpgradeable contract instead of ERC1155Upgradeable contract due to the inheritance order and right to left rule.

Thus, both the above cases doesn't check the interfaceid with the ERC1155 interface id.

Note: IMembershipERC1155 is a custom implementation and not the original IERC1155.

Impact

From the above description, it is clear that the supportsInterface() function of MembershipERC1155.sol contract doesn't actually check the interfaceid with the ERC1155 interface id.

Now, for our protocol, this is a problematic issue as our protocol heavily relies on ERC1155 tokens. Membership tokens are ERC1155 tokens, OWPIdentity tokens are ERC1155 tokens and most of our operations are conducted on these tokens.

So, when our protocol implements these tokens and their functionalities, the users who are supposed to be interacting with these tokens won't be able to do so. Because user wallets won't be compatible with ERC1155.

This happens because, wallets and multisigs determine whether the given token/contract is ERC1155 compatible by calling the supportsInterface() function. Also, External marketplaces use supportsInterface() function to validate tokens before listing. Thus, if anyone decides to list their MembershipERC1155 tokens in a marketplace to sell, they won't be able to do so. This issue can also cause problems with external protocol integration too.

Tools Used

Manual Analysis

Recommendations

Modify the supportsInterface() function as:

./MembershipERC1155.sol
function supportsInterface(bytes4 interfaceId)
public view override(ERC1155Upgradeable, AccessControlUpgradeable) returns (bool) {
return ERC1155Upgradeable.supportsInterface(interfaceId);
}

Also the same issue exists in the OWPIdentity.sol function and the fix is the same:

./OWPIdentity.sol
function supportsInterface(bytes4 interfaceId)
public
view
override(ERC1155, AccessControl)
returns (bool)
{
return ERC1155.supportsInterface(interfaceId)
}
Updates

Lead Judging Commences

0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.