ktg - Incompatibility between balanceOf and balanceOfBatch.

[sherlock-admin]

ktg

medium

Incompatibility between balanceOf and balanceOfBatch.

Summary

ERC1155 has a function balanceOfBatch not overridden by contract Hats. This function is public and does not account for the active/inactive status of a hat or whether the user is eligible; it instead returns the static balance of inputed users.
If a users use this balanceOfBatch function for checking the status of hats wearers, they will receive wrong result and make wrong decisions based on that.

Vulnerability Detail

Here is a POC:

contract IncompatibilityBetweenBalanceOfAndBatchBalanceOf is TestSetup {
    function testIncompatibility() public {
        (uint256[] memory ids, address[] memory wearers) = createHatsBranch(3, topHatId, topHatWearer, false);
        // make hat number 2 inactive
        vm.prank(_toggle);
        hats.setHatStatus(ids[2], false);

        uint256 balanceOfResult;
        uint256[] memory balanceOfBatchResult;
        balanceOfResult = hats.balanceOf(wearers[2], ids[2]);
        balanceOfBatchResult = hats.balanceOfBatch(wearers, ids);

        // balance of wearers[2] for ids[2] is returned differently from 2 functions
        assertEq(balanceOfResult, 0);
        assertEq(balanceOfBatchResult[2], 1);
    }
}

command to test forge test --match-path test/Hats.t.sol -vvvv --match-contract IncompatibilityBetweenBalanceOfAndBatchBalanceOf

Impact

• Incompatibility between balanceOf and balanceOfBatch
• Wrong results returned to users

Code Snippet

https://github.com/Hats-Protocol/hats-protocol/blob/fafcfdf046c0369c1f9e077eacd94a328f9d7af0/src/Hats.sol#L1149-#L1162

Tool used

Manual Review

Recommendation

I recommend overriding function balanceOfBatch and return the same result with balanceOf

Duplicate of #85