Platform: Code4rena
Start Date: 31/01/2023
Pot Size: $36,500 CANTO
Total HM: 5
Participants: 38
Period: 3 days
Judge: berndartmueller
Total Solo HM: 2
Id: 212
League: ETH
Rank: 18/38
Findings: 1
Award: $108.60
🌟 Selected for report: 0
🚀 Solo Findings: 0
360.4223 CANTO - $108.60
https://github.com/code-423n4/2023-01-canto-identity/blob/main/src/AddressRegistry.sol#L51-L57 https://github.com/code-423n4/2023-01-canto-identity/blob/main/src/AddressRegistry.sol#L21 https://github.com/code-423n4/2023-01-canto-identity/blob/main/src/AddressRegistry.sol#L40-L49 https://github.com/code-423n4/2023-01-canto-identity/blob/main/src/AddressRegistry.sol#L59-L64
AddressRegistry might has non-actual record, which leads to inconsistent AddressRegistry state, and might affect possible consumers.
To register favorite NFT user calls register function from AddressRegistry.
Then he sold this NFT to another user, and now he isn't owner of this NFT.
From this time AddressRegistry has incorrect state and will have this state till previous owner will not delete this entry by itself.
But if AddressRegistry integrated with some services which produces goods, users may don't delete this record and take all the benefits from another contract.
Manual audit
Add function to force reset record for user, which is not owner of current NFT item. something like this:
function reset(address addr) external { uint256 nftId = cidNFTs(addr); if (nftId == 0) { return; } if (ERC721(cidNFT).ownerOf(nftId) != addr) { delete cidNFTs[nftId]; } }
#0 - berndartmueller
2023-02-09T12:56:00Z
#1 - c4-judge
2023-02-09T12:56:11Z
berndartmueller marked the issue as unsatisfactory: Invalid
#2 - c4-judge
2023-03-07T21:34:07Z
berndartmueller marked the issue as satisfactory
#3 - c4-judge
2023-03-07T21:35:38Z
berndartmueller marked the issue as duplicate of #177