This repository has been archived by the owner on Nov 26, 2023. It is now read-only.
0x52 - Escrow approvals are not cleared when club is transferred allowing for abuse after transfer #289
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
Comments
github-actions
bot
added
High
This was referenced May 10, 2023
Closed
Closed
Closed
BenRai - Bad club owner can set approval for all to himself, sell the club and take all players
#299
Closed
Closed
logiclogue
added
the
Sponsor Confirmed
|
This could be fixed by dropping the escrow as discussed in the other issue. But this will re-surface soon |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
0x52
high
Escrow approvals are not cleared when club is transferred allowing for abuse after transfer
Summary
Escrow approvals remain even across club token transfers. This allows a malicious club owners to sell their club then drain everything after sale due to previous approvals.
Vulnerability Detail
ERC20 and ERC721 token approval persist regardless of the owner of the club. The result is that approvals set by one owner can be accessed after a token has been sold or transferred. This allows the following attack:
Impact
Malicious approvals can be used to drain club after sale
Code Snippet
FootiumEscrow.sol#L75-L81
FootiumEscrow.sol#L90-L96
Tool used
Manual Review
Recommendation
Club escrow system needs to be redesigned
The text was updated successfully, but these errors were encountered: