Created
July 22, 2024 03:37
-
-
Save 0x175/c52033c69ee45c24744d1a6b80a1da7c to your computer and use it in GitHub Desktop.
ZeroLend Report
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Findings |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
_transferFrom() does not adhere to the ERC721 standard as expected
Description
As outlined here in the NatSpec comments, it is expected that a call to
_transferFrom()
”Throws if_to
is the zero address”. However there is no check to ensure this is the case. Here is a test case that demonstrates this:Here is the output:
[FAIL. Reason: call did not revert as expected] test_TransferFrom()
The call did not revert as expected and the token was successfully sent to the 0 address, making it unrecoverable**.** This affects both
transferFrom()
andsafeTransferFrom()
as_transfer()
is called internally in both functions as seen here and here respectively**.** To prevent unexpected behaviour such as loss of tokens, it is critical to not deviate from the standard if it is expected that it should be followed as seen in this case.Recommendation
Add the following check to
_transferFrom()
. ZeroLocker.sol#L334:With this change, if the above test case is ran again the function call does revert as expected. Here is the output:
[PASS] test_TransferFrom()