Ackee[W6]: Prevent TokenCallbackHandler from Locking Tokens#965
Merged
nlordell merged 1 commit intoaudit/v1.5from May 27, 2025
Merged
Ackee[W6]: Prevent TokenCallbackHandler from Locking Tokens#965nlordell merged 1 commit intoaudit/v1.5from
TokenCallbackHandler from Locking Tokens#965nlordell merged 1 commit intoaudit/v1.5from
Conversation
mmv08
approved these changes
May 14, 2025
remedcu
approved these changes
May 14, 2025
nlordell
changed the title
TokenCallbackHandler Locks TokensTokenCallbackHandler from Locking Tokens
mmv08
approved these changes
May 21, 2025
| function _requireFallback() internal view { | ||
| bytes memory storageData = ISafe(payable(msg.sender)).getStorageAt(uint256(FALLBACK_HANDLER_STORAGE_SLOT), 1); | ||
| address fallbackHandler = abi.decode(storageData, (address)); | ||
| require(fallbackHandler == address(this), "not a fallback call"); |
Contributor
There was a problem hiding this comment.
shall we introduce a new error code?
Collaborator
Author
There was a problem hiding this comment.
AFAIU we don't do error codes outside of the core contract:
rmeissner
approved these changes
May 21, 2025
remedcu
approved these changes
May 21, 2025
A byproduct of the `TokenCallbackHandler` implementing token callback functions is that it is able to receive tokens (such as ERC-721) despite not being designed to do so. Tokens sent to this contract will be permanently locked: SO DO NOT SEND TOKENS TO THIS CONTRACT! This PR adds a documentation blurb to the contract in question to document this shortcomming. Unfortunately, this is not something that can be reasonably checked for such that the handlers `revert`.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR changes the implementation of
TokenCallbackHandlerandTokenCallbacksto make a best-effort check on whether the tokens were sent to a Safe that configures a token callback handler contract as a fallback handler, or if it sent to the fallback handler contract itself directly.Thanks @remedcu and @rmeissner for the suggestions on how to implement it! Basically, it works calling the
msg.senderand expecting it to be a Safe configured with the fallback handler. This would either:StorageAccessibleFALLBACK_HANDLER_SLOTset to the actual fallback handlerNote, however, that it is possible to trick the fallback handler into receiving tokens. Because of this, we document that the checks are best-effort only! We add a test to document how the fallback handler can be tricked.