ArbitraryCallsProposal: onERC1155Received callable #108
Labels
bug
Something isn't working
duplicate
This issue or pull request already exists
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
resolved
Finding has been patched by sponsor (sponsor pls link to PR containing fix)
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/PartyDAO/party-contracts-c4/blob/3896577b8f0fa16cba129dc2867aba786b730c1b/contracts/proposals/ArbitraryCallsProposal.sol#L194
Vulnerability details
Impact
In
ArbitraryCallsProposal
, any calls toonERC721Received
are restricted to not trick contracts into thinking they received this token. However, calls toonERC1155Received
can still be made. This is problematic because ERC1155 is backwards compatible with ERC721 (see Backwards Compatibility in https://eips.ethereum.org/EIPS/eip-1155) and there are hybrid ERC-1155/ERC-721 contracts (e.g., https://github.com/thesandboxgame/thesandbox-contracts/blob/master/src/Asset/ERC1155ERC721.sol)Proof Of Concept
Because these hybrid tokens exist, a smart contract that receives ERC1155 & ERC721 tokens might have a logic like that:
In such a scenario, they could still be tricked into thinking that they received a NFT.
Recommended Mitigation Steps
Also disallow calls to
onERC1155Received
.The text was updated successfully, but these errors were encountered: