Zellic - Audit Reports

Assessment reports Public findings

Back to Zellic site

Assessment reports>Wasabi>Threat Models>onERC721Received

GeneralOverview

Findings

DiscussionAbstractWasabiPool should use upgradable variants of OpenZeppelin contracts Put options operate on entire collections Pools require well-behaved NFTs

Threat ModelsWhat are threat models?

AbstractWasabiPool.sol acceptBidWithTokenId acceptAsk executeOption onERC721Received writeOptionTo

WasabiOption WasabiPoolFactory.sol

Audit ResultsSummary

Function: `onERC721Received(address None, address None, uint256 tokenId, bytes memory None)`

Receive function magic selector for ERC721 tokens so that the pool can receive NFTs. Will be inherited by all pools.

Inputs

tokenId
- Control: User has full control over this input.
- Constraints: If the msg.sender is the optionNFT, the tokenId must be in the optionIds set. If the msg.sender is the NFT address, it is added to tokenIds.
- Impact: Only tokenIDs sent from the NFT address or the optionNFT address are added to the tokenIds or optionIds sets. If the msg.sender is the optionNFT, the option is cleared.

Branches and code coverage (including function calls)

Intended branches

msg.sender is the optionNFT.

msg.sender is the NFT address.

Negative behavior

msg.sender is neither the optionNFT nor the NFT address and therefore reverts.

Function call analysis

onERC721Received -> clearOption(tokenId, 0, false)
- What is controllable? Nothing because the msg.sender is checked to be the optionNFT.
- If return value controllable, how is it used and how can it go wrong? No return value.
- What happens if it reverts, reenters, or does other unusual control flow? The control flow of clearOption is complex and should be reviewed to ensure it handles all edge cases.

Zellic © 2024Back to top ↑