ParaSpace contest - eierina's results

Lines of code

https://github.com/code-423n4/2022-11-paraspace/blob/c6820a279c64a299a783955749fdc977de8f0449/paraspace-core/contracts/protocol/tokenization/base/MintableIncentivizedERC721.sol#L290-L301 https://github.com/code-423n4/2022-11-paraspace/blob/c6820a279c64a299a783955749fdc977de8f0449/paraspace-core/contracts/protocol/tokenization/base/MintableIncentivizedERC721.sol#L320-L327

Vulnerability details

Impact

MintableIncentivizedERC721 incorrectly implements safeTransfer and safeTransferFrom by simply replicating the unsafe transfer/transferFrom function.

Raising as medium because as a consequence of this, these ERC721 tokens may end up locked in contracts that does not support ERC-721 tokens while at the same time offering the false impression of this event being impossible to whoever is using the safeTransfer/safeTransferFrom functions.

Proof of Concept

https://github.com/code-423n4/2022-11-paraspace/blob/c6820a279c64a299a783955749fdc977de8f0449/paraspace-core/contracts/protocol/tokenization/base/MintableIncentivizedERC721.sol#L290-L301 https://github.com/code-423n4/2022-11-paraspace/blob/c6820a279c64a299a783955749fdc977de8f0449/paraspace-core/contracts/protocol/tokenization/base/MintableIncentivizedERC721.sol#L320-L327

Tools Used

Recommended Mitigation Steps

Either implement safe transfer for safeTransfer/safeTransferFrom function or revert on safeTransfer/safeTransferFrom if not willing to support safe tansfers.

Lines of code

https://github.com/code-423n4/2022-11-paraspace/blob/c6820a279c64a299a783955749fdc977de8f0449/paraspace-core/contracts/protocol/tokenization/base/MintableIncentivizedERC721.sol#L572-L582

Vulnerability details

Impact

The MintableIncentivizedERC721 base contract implements IERC165 interface, but the supportsInterface implementation does not comply to the EIP-165.

Raising as medium priority because the incorrect implementation defeats its own purpose.

Proof of Concept

The EIP-165 defines support for ERC-165 interface/implementation here and states the following:

How to Detect if a Contract Implements ERC-165

1. The source contract makes a STATICCALL to the destination address with input data: 0x01ffc9a701ffc9a700000000000000000000000000000000000000000000000000000000 and gas 30,000. This corresponds to contract.supportsInterface(0x01ffc9a7).
2. If the call fails or return false, the destination contract does not implement ERC-165.
3. If the call returns true, a second call is made with input data 0x01ffc9a7ffffffff00000000000000000000000000000000000000000000000000000000.
4. If the second call fails or returns true, the destination contract does not implement ERC-165.
5. Otherwise it implements ERC-165.

How to Detect if a Contract Implements any Given Interface

1. If you are not sure if the contract implements ERC-165, use the above procedure to confirm.
2. If it does not implement ERC-165, then you will have to see what methods it uses the old-fashioned way.
3. If it implements ERC-165 then just call supportsInterface(interfaceID) to determine if it implements an interface you can use.

Tools Used

Manual review.

Recommended Mitigation Steps

Follow the EIP-165 or inherit from a correct ERC-165 implementation as OpenZeppelin's one and ensure the supportsInterface call follows the inheritance chain.