Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2022-09-PARTY-FINDINGS-ISSUES-283
HistorySep 19, 2022 - 12:00 a.m.

[NAZ-M3] Use safeTransferFrom() instead of transferFrom() for ERC721 transfers

2022-09-1900:00:00
Code4rena
github.com
5
erc721 transfers
openzeppelin's documentation
potential vulnerabilities
safetransferfrom()
onerc721received() function
nft transfers
JSON

Lines of code

Vulnerability details

Impact

The transferFrom() method is used instead of safeTransferFrom(), presumably to save gas. I however argue that this isn’t recommended because:

  • OpenZeppelin’s documentation discourages the use of transferFrom(), use safeTransferFrom() whenever possible.
  • Given that any NFT can be used, there are a few NFTs (here’s an example) that have logic in the onERC721Received() function, which is only triggered in the safeTransferFrom() function and not in transferFrom().

Tools Used

Manual Review

Recommended Mitigation Steps

Consider the use of safeTransferFrom() method instead of transferFrom() for NFT transfers.

The text was updated successfully, but these errors were encountered:

All reactions

JSON