Missing validation in `safeBatchTransferFrom` Function
c4-bot-4 opened this issue · 0 comments
Lines of code
Vulnerability details
Description
The safeBatchTransferFrom function allows for the transfer of multiple tokens in a single transaction. This function takes in several parameters, including arrays of token IDs (ids_) and the corresponding quantities to be transferred (values_). According to the ERC-1155 standard, these two arrays must have the same length, with each element in ids_ corresponding to the same index element in values_. This function lacks a critical validation check for ensuring that the lengths of the ids_ and values_ arrays are equal. This omission can lead to various issues, including unexpected behavior, potential loss of tokens, or contract misbehavior. The function is responsible for transferring multiple tokens from one address to another in a single transaction, making it crucial that the arrays representing token IDs and their respective amounts align perfectly.
If values_ has fewer elements than ids_, the function could attempt to access an out-of-bounds index in the values_ array, which would likely cause a runtime error and revert the transaction. If the lengths of ids_ and values_ are mismatched, the function could incorrectly associate quantities with token IDs, leading to unintended token transfers. For instance, tokens could be transferred in incorrect amounts, or tokens could be transferred that were not intended to be included in the transaction. In some cases, this could result in tokens being transferred incorrectly or even lost if the intended transfers do not occur as expected.
Impact
The lack of validation can lead to operational errors in the contract, including failed transactions, incorrect token transfers, and a loss of tokens. This not only impacts individual users but can also erode trust in the contract and the broader system.
Tools Used
Manual Review
Recommendation
To mitigate these risks, it is essential to introduce validation logic that ensures the ids_ and values_ arrays are of equal length before processing the batch transfer.
Assessed type
Invalid Validation