Improper function behaviour in ERC721Enumerable #69
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
invalid
This doesn't seem right
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Lines of code
https://github.com/code-423n4/2022-08-nounsdao/blob/452695d4764ba9d5e1d3eef0d5ecca3d004f215a/contracts/base/ERC721Enumerable.sol#L54-L56
Vulnerability details
Impact
One of the view functions will revert instead of returning false.
Proof of Concept
In
package.json
, the following lines show which version of openzeppelin is being used:The function
supportsInterface()
inERC721Enumerable.sol
calls OZ's ERC165supportsInterface()
, which has a known vulnerability that causes the function to revert instead of returning false due to anabi.decode
behaviour introduced in solidity's version 0.8More details in the links below:
https://security.snyk.io/vuln/SNYK-JS-OPENZEPPELINCONTRACTS-2958047
OpenZeppelin/openzeppelin-contracts#3552
Tools Used
Manual code reading
Recommended Mitigation Steps
Update OpenZeppelin to version 4.7.1 or more recent.
The text was updated successfully, but these errors were encountered: