Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ArbitraryCallsProposal: onERC1155Received callable #108

Closed
code423n4 opened this issue Sep 17, 2022 · 3 comments
Closed

ArbitraryCallsProposal: onERC1155Received callable #108

code423n4 opened this issue Sep 17, 2022 · 3 comments
Labels
bug Something isn't working duplicate This issue or pull request already exists QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/PartyDAO/party-contracts-c4/blob/3896577b8f0fa16cba129dc2867aba786b730c1b/contracts/proposals/ArbitraryCallsProposal.sol#L194

Vulnerability details

Impact

In ArbitraryCallsProposal, any calls to onERC721Received are restricted to not trick contracts into thinking they received this token. However, calls to onERC1155Received can still be made. This is problematic because ERC1155 is backwards compatible with ERC721 (see Backwards Compatibility in https://eips.ethereum.org/EIPS/eip-1155) and there are hybrid ERC-1155/ERC-721 contracts (e.g., https://github.com/thesandboxgame/thesandbox-contracts/blob/master/src/Asset/ERC1155ERC721.sol)

Proof Of Concept

Because these hybrid tokens exist, a smart contract that receives ERC1155 & ERC721 tokens might have a logic like that:

function onERC721Received(
        address operator,
        address from,
        uint256 tokenId,
        bytes memory data
    ) external returns (bytes4) {
		_handleIncomingNFT(operator, from, tokenId, data);
		return IERC721Receiver.onERC721Received.selector;
}

function onERC1155Received(address operator, address from, uint256 tokenId, uint256 value, bytes calldata data) external returns(bytes4) {
		if (isNFT[msg.sender] && value == 1) # isNFT is a mapping that stores ERC1155 tokens where balanceOf(tokenId) <= 1
			_handleIncomingNFT(operator, from, tokenId, data);
		...
		return IERC1155Receiver.onERC1155Received.selector;
}

In such a scenario, they could still be tricked into thinking that they received a NFT.

Recommended Mitigation Steps

Also disallow calls to onERC1155Received.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Sep 17, 2022
code423n4 added a commit that referenced this issue Sep 17, 2022
@code423n4
Lambda issue #108
d240678
@merklejerk merklejerk added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Sep 21, 2022
@merklejerk
Copy link
Collaborator

Not an issue for our protocol specifically, but we can imagine some market or external protocol accepting these tokens in some unified 1155/721 solution that might get tripped up. Will also disallow calls to onERC1155Received in arbitrary calls.

@0xble 0xble mentioned this issue Sep 21, 2022
Merged
@0xble 0xble added the resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) label Oct 2, 2022
@0xble
Copy link
Collaborator

0xble commented Oct 2, 2022

Resolved: PartyDAO/party-protocol#128

@HardlyDifficult
Copy link
Collaborator

Interesting scenario. If a market did get tripped up by this, seems that's a bug for them to deal with, e.g. by confirming ownership. I'm not opposed to the recommendation - but the potential impact in terms of how it's relevant to the party doesn't seem to be explored. Downgrading to Low risk and merging with #101

@HardlyDifficult HardlyDifficult added duplicate This issue or pull request already exists QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Oct 6, 2022
@HardlyDifficult HardlyDifficult mentioned this issue Oct 6, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working duplicate This issue or pull request already exists QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@merklejerk @HardlyDifficult @0xble @code423n4