Updated ERC1155 Discount Validator #100
Conversation
✅ Heimdall Review Status
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
Review Error for abdulla-cb @ 2024-11-04 23:14:04 UTC |
| uint256[] memory ids = abi.decode(validationData, (uint256[])); | ||
| for (uint256 i; i < ids.length; i++) { | ||
| uint256 id = ids[i]; | ||
| if (approvedTokenIds[id] && token.balanceOf(claimer, id) > 0) { |
There was a problem hiding this comment.
This technically adds a reentrancy risk, which should be mitigated by the fact that this a token that we are specifying.
Can we wrap this external call in a staticcall to remove any risk? It will also make it easier when we want to add more validators, nobody will have to review the balance function beforehand.
There was a problem hiding this comment.
Good catch, updated to include a staticcall helper method for balance checks.
|
Review Error for cb-elileers @ 2024-11-04 23:40:11 UTC |
| } | ||
|
|
||
| /// @notice Helper for staticcalling getBalance to avoid reentrancy vector. | ||
| function _getBalance(address claimer, uint256 id) internal view returns (uint256) { |
There was a problem hiding this comment.
This is great. I like that you pulled in the OZ Address library for this instead of writing a new implementation.
In this version of the ERC1155 discount validator, we accept an array of uints upon initialization, setting the approved token Ids for the token collection.
Upon calling the
isValidDiscountRegistration, an integrator should pack the token Ids in an array and pass this as thevalidationDatabytes. For example, to check for token ids 0, 1 and 2, an integrator would setvalidationDatausingabi.encode([0,1,2]).The token Ids are decoded into an
uint[] idsobject and each is checked forclaimerThe validator returns
trueif both criteria are true for a single tokenId, elsefalse.