Omniscia Evergon Labs Audit

Erc1155FractionFacetStorage Manual Review Findings

Erc1155FractionFacetStorage Manual Review Findings

EFS-01M: Inexplicable Transfer of Data Point Ownership

Description:

The Erc1155FractionFacetStorage::handleFractionPhase function will transfer ownership (and thus administrator-ship) of the data point that is attached to the fractionalized NFT to the original caller that created the NFT, effectively permitting them to create another and attach another data manager to the same data point and thus manipulate balances and other data entries.

Impact:

A malicious user can directly manipulate the fraction balances, total supplies, and other data points at any time as they retain ownership of the underlying data point utilized by the wrapped NFT.

Example:

packages/contracts/contracts/internalFacets/createFractionsPhaseFacets/fractionFacets/erc1155/Erc1155FractionFacetStorage.sol
56function handleFractionPhase(
57    Layout storage l,
58    bytes calldata fractionData,
59    uint256 nftId,
60    address msg_sender
61) internal returns (uint256) {
62    (uint32[] memory chainIds, string memory name, string memory symbol, uint256 amountToBeMinted, address refundAddress) = abi
63        .decode(fractionData, (uint32[], string, string, uint256, address));
64

65    if (nftId == 0) revert NonExistentNftId();
66

67    IERC721(l.wrapper).approve(address(l.fractionErc1155Factory), nftId);
68

69    (address fractionAddress, bytes32 dp) = l.fractionErc1155Factory.deploy{value: msg.value}(
70        chainIds,
71        name,
72        symbol,
73        nftId,
74        amountToBeMinted,
75        payable(refundAddress)
76    );
77

78    DataPoint datapoint = DataPoint.wrap(dp);
79

80    (, address registry, ) = DataPoints.decode(datapoint);
81

82    // Transfer DataPoint ownership to the caller
83    IDataPointRegistry(registry).transferOwnership(datapoint, msg_sender);
84

85    updateState(fractionAddress);
86

87    return amountToBeMinted;
88}

Recommendation:

We advise ownership to be retained by the Diamond itself, preventing a corruption of the data point's storage entries via the introduction of a malicious data manager.

Alleviation (71cda4ccfdcfa25fb96a4565f1f8143b350dd246):

The Data Point's ownership is no longer transferred whenever the fraction phase is handled, alleviating this exhibit.

Prev

Erc1155FractionFacet.sol (EFF-M)

Next

FailedBuybackToFoldFacetStorage.sol (FBF-M)

On this page