SYM_SOL_0016 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Access Control
| Property | Value |
|---|---|
| Language | solidity |
| Severity |  |
| CWE | CWE-284: Improper Access Control |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | High |
Description
The custom ERC721 contract's _transfer() function does not check if the caller is the owner or an approved account before transferring tokens. This lack of access control allows anyone to transfer NFTs without proper authorization.
Impact
Without these checks, attackers could transfer or steal NFTs from any user, leading to unauthorized asset loss, financial damage, and loss of trust in the contract. This vulnerability puts all token holders at risk of having their NFTs taken without consent.