cryptozombie-lessons icon indicating copy to clipboard operation
cryptozombie-lessons copied to clipboard

Published 20 hours ago verified publisher icon CryptozombiesHQ

Add require check for token owner matching _from address in 05-erc721-5.md

Open cooldc314 opened this issue 3 years ago • 3 comments

cooldc314 avatar Feb 13 '22 08:02 cooldc314

@cooldc314 I'm a bit lost. Please explain what this pull request aims to fix.

andreipope avatar Feb 23 '22 12:02 andreipope

It should always be invalid to transfer from an address that does not match the token owner's address. Even with the additional require checks implemented for the public functions, currently the final solution allows someone to transfer a token they own but spoof the _from address, thus decreasing the zombie count incorrectly for any address.

cooldc314 avatar Feb 24 '22 20:02 cooldc314

+1 to fixing this, I noticed this as well.

Here's a high-level example: if I call transferFrom(myEnemyAddress, mySecondaryAddress, myZombie) I can transfer my zombie to another account I own, but I also decrement the ownerZombieCount of my enemy. I can do this because there's no check on the _from argument (myEnemyAddress), only the _tokenId (myZombie) argument. Rinse and repeat.

Regarding the actual changes to the contract code, I think it makes most sense to update the transferFrom function which already has the existing require conditions for the token owner/approval. Updated function would look like:

  function transferFrom(address _from, address _to, uint256 _tokenId) external payable {
    require (_from == msg.sender || zombieToOwner[_tokenId] == msg.sender || zombieApprovals[_tokenId] == msg.sender);
    _transfer(_from, _to, _tokenId);
  }

nonik0 avatar Apr 07 '22 07:04 nonik0