Custom ERC721 implementation lacks access control checks in _transfer()
Description
The _transfer() function in a custom ERC721 implementation does not perform necessary access control checks, potentially allowing unauthorized transfers.
Examples
Insecure Code
solidity
function _transfer(address from, address to, uint256 tokenId) {
// missing access control checks
_balances[from] -= 1;
_balances[to] += 1;
}Secure Code
solidity
function _transfer(address from, address to, uint256 tokenId) {
require(_isApprovedOrOwner(msg.sender, tokenId), 'caller is not token owner or approved');
_balances[from] -= 1;
_balances[to] += 1;
}Remediation
Add access control checks to the _transfer() function, such as requiring the sender to be the owner of the token or an approved operator.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0436 |
| Category | AccessControl |
| Severity | HIGH |
| CWE | CWE-284 |
| Confidence | MEDIUM |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | erc721, access control |
| OWASP | N/A |
References
- https://twitter.com/BlockSecAlert/status/1516289618605654024
- https://etherscan.io/address/0xf3821adaceb6500c0a202971aecf840a033f236b