Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Function spec and implementation difference / strict comparison #45

Open
code423n4 opened this issue Nov 22, 2021 · 1 comment · Fixed by unlock-protocol/unlock#7986
Open

Function spec and implementation difference / strict comparison #45

code423n4 opened this issue Nov 22, 2021 · 1 comment · Fixed by unlock-protocol/unlock#7986
Assignees
@clemsos
Labels
1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons

Comments

@code423n4
Copy link
Contributor

Handle

loop

Vulnerability details

The function tokenOfOwnerByIndex has a requirement for _index to be 0. This is different from the specification, which states:

/// @dev Throws if `_index` >= `balanceOf(_keyOwner)` or if
///  `_keyOwner` is the zero address, representing invalid NFTs.

It also seems to be a bit unnecessary as _index is not even used in the following call getTokenIdFor(_keyOwner).

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other https://github.com/code-423n4/2021-11-unlock/blob/main/smart-contracts/contracts/mixins/MixinERC721Enumerable.sol#L44-L59

Recommended Mitigation Steps

Change require statement to something according to specification:
require(_index < balanceOf(_keyOwner) && _keyOwner != address(0));

@code423n4 code423n4 added 1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working labels Nov 22, 2021
code423n4 added a commit that referenced this issue Nov 22, 2021
@code423n4
loop issue #45
b93ecd2
@julien51 julien51 added the sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons label Jan 3, 2022
@julien51
Copy link
Collaborator

julien51 commented Jan 3, 2022

This is indeed an issue! Let's get it fixed @clemsos

@clemsos clemsos mentioned this issue Jan 4, 2022
Merged
6 tasks
@0xleastwood 0xleastwood reopened this Jan 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@clemsos clemsos

Labels
1 (Low Risk) Assets are not at risk. State handling, function incorrect as to spec, issues with comments bug Something isn't working sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

tokenOfOwnerByIndex implementation match existing docstring unlock-protocol/unlock
4 participants
@julien51 @clemsos @0xleastwood @code423n4