Skip to content

Commit

Permalink
October Audit 3.2 Selector and Calldata Length (#463)
Browse files Browse the repository at this point in the history
  • Loading branch information
@hanzel98
hanzel98 committed Oct 30, 2024
1 parent 87c50b1 commit 61b0587
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 5 deletions.
3 changes: 2 additions & 1 deletion src/enforcers/ERC721TransferEnforcer.sol
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,6 @@ contract ERC721TransferEnforcer is CaveatEnforcer {
{
(address permittedContract_, uint256 permittedTokenId_) = getTermsInfo(_terms);
(address target_,, bytes calldata callData_) = ExecutionLib.decodeSingle(_executionCallData);
bytes4 selector_ = bytes4(callData_[0:4]);

// Decode the remaining callData into NFT transfer parameters
// The calldata should be at least 100 bytes (4 bytes for the selector + 96 bytes for the parameters)
Expand All @@ -48,6 +47,8 @@ contract ERC721TransferEnforcer is CaveatEnforcer {
revert("ERC721TransferEnforcer:invalid-address");
}

bytes4 selector_ = bytes4(callData_[0:4]);

if (target_ != permittedContract_) {
revert("ERC721TransferEnforcer:unauthorized-contract-target");
} else if (selector_ != IERC721.transferFrom.selector) {
Expand Down
5 changes: 3 additions & 2 deletions src/enforcers/OwnershipTransferEnforcer.sol
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,11 +72,12 @@ contract OwnershipTransferEnforcer is CaveatEnforcer {
returns (address newOwner_)
{
(address target_,, bytes calldata callData_) = _executionCallData.decodeSingle();
bytes4 selector = bytes4(callData_[0:4]);
require(selector == IERC173.transferOwnership.selector, "OwnershipTransferEnforcer:invalid-method");

require(callData_.length == 36, "OwnershipTransferEnforcer:invalid-execution-length");

bytes4 selector_ = bytes4(callData_[0:4]);
require(selector_ == IERC173.transferOwnership.selector, "OwnershipTransferEnforcer:invalid-method");

address targetContract_ = getTermsInfo(_terms);
require(targetContract_ == target_, "OwnershipTransferEnforcer:invalid-contract");

Expand Down
7 changes: 5 additions & 2 deletions test/enforcers/OwnershipTransferEnforcer.t.sol
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,8 +90,11 @@ contract OwnershipTransferEnforcerTest is CaveatEnforcerBaseTest {
// Reverts if the method called is not transferOwnership
function test_notAllow_invalidMethod() public {
bytes memory terms_ = abi.encodePacked(mockContract);
transferOwnershipExecution =
Execution({ target: mockContract, value: 0, callData: abi.encodeWithSelector(bytes4(keccak256("someOtherMethod()"))) });
transferOwnershipExecution = Execution({
target: mockContract,
value: 0,
callData: abi.encodeWithSelector(bytes4(keccak256("someOtherMethod(address)")), address(0))
});
transferOwnershipExecutionCallData = ExecutionLib.encodeSingle(
transferOwnershipExecution.target, transferOwnershipExecution.value, transferOwnershipExecution.callData
);
Expand Down

0 comments on commit 61b0587

Please sign in to comment.