Platform: Code4rena
Start Date: 05/09/2023
Pot Size: $50,000 USDC
Total HM: 2
Participants: 16
Period: 6 days
Judge: GalloDaSballo
Total Solo HM: 2
Id: 284
League: ETH
Rank: 11/16
Findings: 1
Award: $40.13
π Selected for report: 0
π Solo Findings: 0
40.1294 USDC - $40.13
Strict allowance could affect third party integration
Protocols or third party integration seeking to build on delegate could be unable upon to create() with approved NFT tokens. These integrations might not necessarily need to transfer the nft from the user.
When creating a delegate position: checkAndPullByType -> checkERC721BeforePull is called.
https://github.com/code-423n4/2023-09-delegate/blob/main/src/libraries/DelegateTokenTransferHelpers.sol#L35
function checkERC721BeforePull(uint256 underlyingAmount, address underlyingContract, uint256 underlyingTokenId) internal view { if (underlyingAmount != 0) { revert Errors.WrongAmountForType(IDelegateRegistry.DelegationType.ERC721, underlyingAmount); } if (IERC721(underlyingContract).ownerOf(underlyingTokenId) != msg.sender) {//<@ revert Errors.CallerNotOwnerOrInvalidToken(); } }
because it strictly checks that the owner is the caller and does not allow from approved users, any approved user call to create would fail.
Manual Review
Consider allowing both the owners or approved users to create delegate using the NFT.
Context
#0 - c4-sponsor
2023-09-20T23:03:12Z
0xfoobar marked the issue as disagree with severity
#1 - c4-sponsor
2023-09-20T23:03:16Z
0xfoobar (sponsor) acknowledged
#2 - GalloDaSballo
2023-10-02T07:41:58Z
Similarly to #279 the operator cannot perform a certain operation
This will not cause any substantial DOS nor breaks the system in any particular way, since the Operator can: -> Transfer to Self -> Perform the operation
#3 - c4-judge
2023-10-02T07:42:11Z
GalloDaSballo changed the severity to QA (Quality Assurance)
#4 - c4-judge
2023-10-02T11:47:31Z
GalloDaSballo marked the issue as grade-b
#5 - GalloDaSballo
2023-10-02T11:47:37Z
Manually awarded B as a notable QA finding