This repository has been archived by the owner on Nov 26, 2023. It is now read-only.
0x52 - Malicious users can honeypot other users by transferring out ERC20 and ERC721 tokens right before sale #291
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
Comments
github-actions
bot
added
High
This was referenced May 10, 2023
logiclogue
added
the
Sponsor Confirmed
|
Currently discussed solution involves either adding a timelock on the contract or removing the escrow contract entirely. Both have product implications and will need longer to evaluate |
This was referenced Dec 17, 2023
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
0x52
high
Malicious users can honeypot other users by transferring out ERC20 and ERC721 tokens right before sale
Summary
Since the club and escrow are separate and tokens can be transferred at any time by the owner, it allows malicious users to honeypot victims.
Vulnerability Detail
Tokens can be transferred out of the escrow by the owner of the club at anytime. This includes right before (or even in the same block) that the club is sold. This allows users to easily honeypot victims when selling clubs:
Impact
Malicious users can honeypot other users
Code Snippet
https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumEscrow.sol#L105-L111
https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumEscrow.sol#L120-L126
Tool used
Manual Review
Recommendation
Club/escrow system needs a redesign
The text was updated successfully, but these errors were encountered: