transferFrom potential vulnerability?

[TechnicallyWeb3]

Seems like a bit of an oversight, or perhaps I’m not seeing the protection mechanisms. I’m noticing the transferFrom function uses “amountOrId” as an input. Could NFTs theoretically be stolen from liquidity providers? A DEX using the approve and transferFrom function to perform swaps means if a user buys a low enough amount of token they could theoretically trigger an ERC721 transfer instead of an ERC20 transfer. In fact anyone using the approve method for any ERC20 amount is susceptible to this type of attack.

For example if I buy 1000 wei (0.000000000000001 ERC20) I could theoretically steal NFT #1000 if it’s being provided by a liquidity provider on a DEX using approve and transferFrom. Not sure which, if any, DEXes use this method for swaps. It’s just the matter of finding out who provides liquidity, which token IDs they own and buying exactly those amounts of ERC20 wei. I did notice a whitelist but I assume that will only work if the white listed exchange or contract holds the token instead of facilitating the swap.

Thoughts?

This is purely a technical question and in no way am I encouraging to attempt this on live projects. I’ll be writing some hardhat tests to share later testing my assumptions on a VM.

[sorawit]

(I'm not a project maintainer and not associating with Pandora)

I think that is a known issue that this overload design will break some protocols if directly integrating ERC404 naively (https://twitter.com/0xQuit/status/1755702881930432527). But for most DEXes, i think they use transfer function to send tokens out. Plus if DEX contracts are in the exemption list they won't be holding any NFT.