leastwood
The awardExternalERC721() function uses solidityβs try and catch statement to ensure a single tokenId cannot deny function execution. If the try statement fails, an ErrorAwardingExternalERC721 event is emitted with the relevant error, however, the failed tokenId is not removed from the list of tokenIds emitted at the end of function execution. As a result, the AwardedExternalERC721 is emitted with the entire list of tokenIds, regardless of failure. An off-chain script or user could therefore be tricked into thinking an ERC721 tokenId was successfully awarded.
Manual code review
Consider emitting only successfully transferred tokenIds in the AwardedExternalERC721 event.
The text was updated successfully, but these errors were encountered:
All reactions