Comments (9)
msg.sender
is the owner that stakes the service, and it's exactly the same owner that is able to unstake it. What is the scenario that msg.sender
was able to be the owner of the service before staking it, but is no longer able to receive ERC721 token when unstaking?
Our protocol assumes a valid ERC721 standard used in all the possible service registry contracts. If someone decides to use a custom broken ERC721 contract that is able to mint tokens to the contract, but cannot receive one by the transfer, this is out of scope of our protocol.
from 2024-05-olas-findings.
kupermind (sponsor) disputed
from 2024-05-olas-findings.
After several communication rounds we can accept the issue, however the declared severity completely does not match the issue. There is zero risk factor for the protocol, only the user stupidity that have not checked the staking contract requirements.
None of well-known contract wallets reject the contract ERC721 support. This must be an artificially created scenario when the user deliberately uses the contract without such a support. If one is talking about outdated Safe, for example, there is a way to upgrade the Safe version, and then provide the correct fallbackHandler contract address to deal with ERC721 contracts.
from 2024-05-olas-findings.
0xA5DF changed the severity to 2 (Med Risk)
from 2024-05-olas-findings.
0xA5DF marked the issue as satisfactory
from 2024-05-olas-findings.
0xA5DF marked the issue as selected for report
from 2024-05-olas-findings.
I agree that this is less likely to happen and somewhat on the user to ensure that their contract can receive ERC721
However, I think that the likelihood is sufficient to consider this as med, given the high impact.
from 2024-05-olas-findings.
For transparency, per discord discussion with the Olas sponsor (kupermind) the labeling has been updated to sponsor acknowledged.
from 2024-05-olas-findings.
Fixed
from 2024-05-olas-findings.
Related Issues (20)
- `stakingIncentive` is not transffered onto the next epoch which is a deviation from the spec HOT 7
- setFxChildTunnel Does Not Update l2TargetDispenser in PolygonDepositProcessorL1.sol (Potential Message Loss) HOT 6
- Desynchronized Nominee Data After Nominee Removal. HOT 1
- QA Report HOT 2
- QA Report HOT 6
- QA Report HOT 7
- QA Report HOT 1
- Gas Optimizations HOT 2
- QA Report HOT 2
- QA Report HOT 4
- QA Report HOT 6
- QA Report HOT 1
- Upgraded Q -> 2 from #34 [1720018599046] HOT 2
- Upgraded Q -> 2 from #34 [1720018773609] HOT 2
- Upgraded Q -> 2 from #7 [1720019193236] HOT 2
- Upgraded Q -> 2 from #108 [1720182273590] HOT 2
- Upgraded Q -> 2 from #108 [1720182372513] HOT 3
- Upgraded Q -> 2 from #114 [1720183356196] HOT 4
- Lack of support for specific tokens HOT 1
- Upgraded Q -> 2 from #115 [1720340805863] HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from 2024-05-olas-findings.