-
Notifications
You must be signed in to change notification settings - Fork 310
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWARD: Ark Protocol Claim "1 - Best Auditor" #713
Comments
There is a fix for avoiding stealing NFTs. The fix only checks whether NFT is escrowed. So exploiting an not send/not escrowed NFTs is not possible anymore. Nevertheless it is possible to steal an escrowed, from another custom ICS721 contract with a fake class id. The solution is: when receiving a back transfer dest channel must be checked against (outgoing) channel, at the time, when NFT was transferred to specific channel. This way it guarantees that during receival, nft module only accepts back transfer when source channel is the same, as the outgoing channel where it has previously been send to. See my comment here: |
As mentioned together with IRISnet, Ark Protocol, has reviewed, supported and tested transfers between ICS721 wasm contract and nft module since Nov. 2022. Like these 2 issues have been identified and fixed:
|
See my custom contract and comment in #705 |
Also check our review on nft module is able to change token data - even though on origin chain the creator has ownership of this collection: #705 (comment) Using nft module it allows user to change token data on transferring back to original collection. |
Importance of Truth-of-Source by validating incoming |
Award and Bug claim has been issued here: #158. We are splitting claim into 2 parts. This covers the Best Audtor Award claim.
Audits and reviews on NFT module and ICS721 wasm contract:
i. 6 bugs during GoN and at least 2 before GoN - see here: AWARD: Ark Protocol Claim "5 - Bug Hunters" #705
ii. both 2 critical bugs have been identified by team members of Ark Protocol:
A. exploit token data on transfer (IBC receive/send packet) from source to target chain
a) exploit and example here: AWARD: Ark Protocol Claim Best Auditor and/or Bug :) #158
b) please also note the steps to reproduce in AWARD: Ark Protocol Claim Best Auditor and/or Bug :) #158. especiall this code snippet:
This exploit is a honeypot, allowing exploiter to take ownership of NFT by overriding receiver address. In return exploiter can just send NFT back to 'official' collection and take ownership by passing any recipient of course - by doing a normal ICS (back) transfer.
Even if a collector would not fall into this honeypot trap. Exploiter can send itself to exploited contract on another chain, change metadata and send it back with modified token data - like with manipulated rare, legendaray traits for selling a former cheap NFT to a higher price.
More reviews:
The text was updated successfully, but these errors were encountered: