Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

transferVoucher and alterVoucher should check that voucher exists #2

Open
cducrest opened this issue Nov 10, 2023 · 1 comment
Open

transferVoucher and alterVoucher should check that voucher exists #2

cducrest opened this issue Nov 10, 2023 · 1 comment
Labels
info Informational finding

Comments

@cducrest
Copy link

Summary

The function to transfer and alter a voucher should check that a voucher exists before attempting to transfer / alter it.

## Vulnerability Detail

The functions transferVoucher() and alterVoucher() do not revert when called with a voucher that was not minted beforehand:

    function transferVoucher(
        uint256 voucherID,
        string memory ownerID
    ) public whenNotPaused onlyOwner {
        vouchers[voucherID].ownerID = ownerID;
        emit transferVoucherEvent(voucherID, ownerID);
    }

    function alterVoucher(
        uint256 voucherID,
        SharedStructs.Voucher memory voucher
    ) public whenNotPaused onlyOwner {
        vouchers[voucherID] = voucher;
        emit alterVoucherEvent(voucherID, voucher);
    }

Impact

This could result in confusion to the caller of the contract if they want to mint a voucher and transfer it to someone but they mistakenly call transferVoucher() before calling mintVoucher() resulting in the voucher being owned by the owner provided in mintVoucher(). This could also occur due to a reorg of caller transactions if the owner contract does not enforce an ordering of the calls.

This can lead to unforeseen event handling in the backend / frontend when events are received out of expected order.

References

audit-wiiqare-1/contracts/WiiQareVoucherV1.sol

Lines 82 to 101 in 0243110

function transferVoucher(
uint256 voucherID,
string memory ownerID
) public whenNotPaused onlyOwner {
vouchers[voucherID].ownerID = ownerID;
emit transferVoucherEvent(voucherID, ownerID);
}
/**
* Allows the contract owner to alter data for a voucher when the contract is not paused
* @param voucherID id of the target voucher
* @param voucher new voucher data
*/
function alterVoucher(
uint256 voucherID,
SharedStructs.Voucher memory voucher
) public whenNotPaused onlyOwner {
vouchers[voucherID] = voucher;
emit alterVoucherEvent(voucherID, voucher);
}

Recommendation

Revert when the function is called with a non-existing voucher, e.g. by checking that vouchers[voucherID].value > 0 or with ERC721's _exists(voucherID) function.
@cducrest cducrest added the info Informational finding label Nov 10, 2023
@liviuvlad-innovatorspark
Copy link

_exists was removed for v5 of the ERC721, so it was replaced by the following modifier
require(ownerOf(voucherID) != address(0), "Voucher doesn't exist!");
thanks for the great feedback, issue is being addressed here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
info Informational finding
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cducrest @liviuvlad-innovatorspark