Omniscia Evergon Labs Audit

ERC721Burnable Manual Review Findings

ERL-01M: Incorrect Burn Implementation

Type	Severity	Location
Logical Fault		ERC721Burnable.sol:L18-L23

Description:

The current ERC721Burnable::burn implementation does not implement any authorization checks permitting any NFT ID to be arbitrarily burned.

Impact:

Any NFT ID can be burned without authorization in the current ERC721Burnable implementation.

Example:

contracts/dataManagers/ERC721/ERC721Burnable.sol

11/**
12 * @dev Burns `tokenId`. See {ERC721-_burn}.
13 *
14 * Requirements:
15 *
16 * - The caller must own `tokenId` or be an approved operator.
17 */
18function burn(uint256 tokenId) public virtual {
19    address previousOwner = _update(address(0), tokenId, address(0));
20    if (previousOwner == address(0)) {
21        revert ERC721NonexistentToken(tokenId);
22    }
23}

Recommendation:

We advise proper access control to be imposed by configuring the auth argument of the ERC721Transfers::_update call to the caller (i.e. _msgSender()), ensuring that burn operations are properly authorized.

Alleviation (c6b23c23d8bcd8cce85049ad959cbd711a37126b):

Proper authorization checks are now imposed by the ERC721Burnable::burn function, ensuring that arbitrary NFTs cannot be burned.

Omniscia Evergon Labs Audit

ERC721Burnable Manual Review Findings

ERC721Burnable Manual Review Findings

ERL-01M: Incorrect Burn Implementation

Description:

Impact:

Example:

Recommendation:

Alleviation (c6b23c23d8bcd8cce85049ad959cbd711a37126b):

ERC1155WithERC20FractionsWithCallbackDataManager.sol (ECW-M)

ERC721DataManager.sol (ER2-M)

On this page