eyeball (collection) might be compromised by proxy #54

taitruong · 2023-05-21T19:32:21Z

This seems to be critical where info.sender is set provided by proxy: https://github.com/public-awesome/ics721/blob/main/contracts/cw-ics721-bridge/src/contract.rs#L110

fn execute_receive_proxy_nft( ... ) -> Result<Response, ContractError> {
    if PROXY
        .load(deps.storage)?
        .map_or(true, |proxy| info.sender != proxy)
    {
        return Err(ContractError::Unauthorized {});
    }
    let mut info = info;
    info.sender = deps.api.addr_validate(&eyeball)?;
    let cw721::Cw721ReceiveMsg {
        token_id,
        sender,
        msg,
    } = msg;
    receive_nft(deps, info, TokenId::new(token_id), sender, msg)
}

So it would be possible having an exploited proxy contract and providing any random collection which will then be transferred to another chain.

One solution is checking, whether sender is owner of NFT by querying all_nft_info, instead of nft_info here:

https://github.com/public-awesome/ics721/blob/main/contracts/cw-ics721-bridge/src/contract.rs#L173

The text was updated successfully, but these errors were encountered:

humanalgorithm · 2023-06-01T20:19:26Z

This issue has now been resolved by creating a new proxy package here:
https://github.com/arkprotocol/ics721-plus

humanalgorithm closed this as completed Jun 1, 2023

humanalgorithm mentioned this issue Jun 1, 2023

Proxy is resetted, set back to null, during migration #53

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

eyeball (collection) might be compromised by proxy #54

eyeball (collection) might be compromised by proxy #54

taitruong commented May 21, 2023

humanalgorithm commented Jun 1, 2023

eyeball (collection) might be compromised by proxy #54

eyeball (collection) might be compromised by proxy #54

Comments

taitruong commented May 21, 2023

humanalgorithm commented Jun 1, 2023