GithubHelp home page GithubHelp logo

Comments (9)

kupermind avatar kupermind commented on September 2, 2024

msg.sender is the owner that stakes the service, and it's exactly the same owner that is able to unstake it. What is the scenario that msg.sender was able to be the owner of the service before staking it, but is no longer able to receive ERC721 token when unstaking?

Our protocol assumes a valid ERC721 standard used in all the possible service registry contracts. If someone decides to use a custom broken ERC721 contract that is able to mint tokens to the contract, but cannot receive one by the transfer, this is out of scope of our protocol.

from 2024-05-olas-findings.

c4-sponsor avatar c4-sponsor commented on September 2, 2024

kupermind (sponsor) disputed

from 2024-05-olas-findings.

kupermind avatar kupermind commented on September 2, 2024

After several communication rounds we can accept the issue, however the declared severity completely does not match the issue. There is zero risk factor for the protocol, only the user stupidity that have not checked the staking contract requirements.

None of well-known contract wallets reject the contract ERC721 support. This must be an artificially created scenario when the user deliberately uses the contract without such a support. If one is talking about outdated Safe, for example, there is a way to upgrade the Safe version, and then provide the correct fallbackHandler contract address to deal with ERC721 contracts.

from 2024-05-olas-findings.

c4-judge avatar c4-judge commented on September 2, 2024

0xA5DF changed the severity to 2 (Med Risk)

from 2024-05-olas-findings.

c4-judge avatar c4-judge commented on September 2, 2024

0xA5DF marked the issue as satisfactory

from 2024-05-olas-findings.

c4-judge avatar c4-judge commented on September 2, 2024

0xA5DF marked the issue as selected for report

from 2024-05-olas-findings.

0xA5DF avatar 0xA5DF commented on September 2, 2024

I agree that this is less likely to happen and somewhat on the user to ensure that their contract can receive ERC721
However, I think that the likelihood is sufficient to consider this as med, given the high impact.

from 2024-05-olas-findings.

thebrittfactor avatar thebrittfactor commented on September 2, 2024

For transparency, per discord discussion with the Olas sponsor (kupermind) the labeling has been updated to sponsor acknowledged.

from 2024-05-olas-findings.

vsharma4394 avatar vsharma4394 commented on September 2, 2024

Fixed

from 2024-05-olas-findings.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.