Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ERC-721: Check ownership in transfer_token_from #2093

Merged

Conversation

zgrannan
Copy link
Contributor

@zgrannan zgrannan commented Feb 2, 2024

Summary

  • [n] y/n | Does it introduce breaking changes?
  • [n] y/n | Is it dependant on the specific version of cargo-contract or pallet-contracts?

The ERC-721 Specification states that transferFrom should throw if from is not the owner of the token. The current implementation doesn't check that. As a result, it's possible for a caller A who is allowed to transfer B's token T, can call transferFrom(C, A, T) without any problem. A side effect is that the balance of C will be decremented instead of B.

The transfer() function also has a similar issue: it seems the intention is to transfer the token from the caller, but the ownership is never checked explicitly. If the caller uses the id of an approved (not owned) token, it will incorrectly decrement the caller's balance.

This PR addresses these issues by adding an ownership check in transfer_token_from. Tests for transfer_from and transfer have been added.

Checklist before requesting a review

  • My code follows the style guidelines of this project
  • I have added an entry to CHANGELOG.md
  • I have commented my code, particularly in hard-to-understand areas
  • I have added tests that prove my fix is effective or that my feature works
  • Any dependent changes have been merged and published in downstream modules No dependent changes

@zgrannan zgrannan marked this pull request as draft February 2, 2024 18:06
@zgrannan zgrannan changed the title ERC-721: Check ownership in transfer_from ERC-721: Check ownership in transfer_token_from Feb 2, 2024
@zgrannan zgrannan marked this pull request as ready for review February 2, 2024 18:48
Copy link
Collaborator

@ascjones ascjones left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ascjones ascjones enabled auto-merge (squash) February 5, 2024 17:13
@ascjones ascjones merged commit d21cc6a into use-ink:master Feb 5, 2024
21 of 23 checks passed
@SkymanOne SkymanOne mentioned this pull request Feb 8, 2024
@SkymanOne SkymanOne mentioned this pull request Mar 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants