Skip to content

ERC-721: Check ownership in transfer_token_from#2093

Merged
ascjones merged 3 commits intouse-ink:masterfrom
zgrannan:zgrannan/erc721-transfer-from-owner
Feb 5, 2024
Merged

ERC-721: Check ownership in transfer_token_from#2093
ascjones merged 3 commits intouse-ink:masterfrom
zgrannan:zgrannan/erc721-transfer-from-owner

Conversation

@zgrannan
Copy link
Contributor

@zgrannan zgrannan commented Feb 2, 2024
edited
Loading

Summary

  • [n] y/n | Does it introduce breaking changes?
  • [n] y/n | Is it dependant on the specific version of cargo-contract or pallet-contracts?

The ERC-721 Specification states that transferFrom should throw if from is not the owner of the token. The current implementation doesn't check that. As a result, it's possible for a caller A who is allowed to transfer B's token T, can call transferFrom(C, A, T) without any problem. A side effect is that the balance of C will be decremented instead of B.

The transfer() function also has a similar issue: it seems the intention is to transfer the token from the caller, but the ownership is never checked explicitly. If the caller uses the id of an approved (not owned) token, it will incorrectly decrement the caller's balance.

This PR addresses these issues by adding an ownership check in transfer_token_from. Tests for transfer_from and transfer have been added.

Checklist before requesting a review

  • My code follows the style guidelines of this project
  • I have added an entry to CHANGELOG.md
  • I have commented my code, particularly in hard-to-understand areas
  • I have added tests that prove my fix is effective or that my feature works
  • Any dependent changes have been merged and published in downstream modules No dependent changes

@zgrannan zgrannan marked this pull request as draft February 2, 2024 18:06
@zgrannan zgrannan changed the title ERC-721: Check ownership in transfer_from ERC-721: Check ownership in transfer_token_from Feb 2, 2024
@zgrannan zgrannan marked this pull request as ready for review February 2, 2024 18:48
ascjones
ascjones approved these changes Feb 5, 2024
View reviewed changes
Copy link
Collaborator

@ascjones ascjones left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ascjones ascjones enabled auto-merge (squash) February 5, 2024 17:13
@ascjones ascjones merged commit d21cc6a into use-ink:master Feb 5, 2024
@SkymanOne SkymanOne mentioned this pull request Feb 8, 2024
Merged
@SkymanOne SkymanOne mentioned this pull request Mar 4, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ascjones ascjones ascjones approved these changes

@cmichi cmichi Awaiting requested review from cmichi cmichi is a code owner

@SkymanOne SkymanOne Awaiting requested review from SkymanOne

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zgrannan @ascjones