Hi @ivanmmurcia , love this EIP, the lack of a proper approval pattern is a big problem with ERC-1155, this EIP will definitely help to make it a more robust standard.
A couple things regarding the reference implementation:
1-The proposal states safeTransferFrom
MUST Subtract the transferred amount of tokens from the approved amount if msg.sender is not approved with setApprovalForAll
But in the reference implementation, the allowance is decremented in all cases. In the case of an operator being approvedForAll
, this means _allowances[from][msg.sender][id]
can underflow and lead to an allowance being silently inflated.
You can add a check before decrementing:
require(
from == msg.sender || isApprovedForAll(from, msg.sender) || allowance(from, msg.sender, id) >= amount,
"ERC1155: caller is not owner nor approved nor approved for amount"
);
+ if (from != msg.sender && !isApprovedForAll(from, msg.sender)) {
unchecked {
_allowances[from][msg.sender][id] -= amount;
}
+ }
_safeTransferFrom(from, to, id, amount, data);
2-There is a tiny logic issue in safeBatchTransferFrom
: The error string line 89 in safeBatchTransferFrom
will never be reached, because_checkApprovalForBatch
never returns false, it either returns true or reverts line 111 if one of the ids to be transferred does not have sufficient allowance.
You can amend the _checkApprovalForBatch
so that it returns false instead of reverting if the allowance is not enough.
- require(allowance(from, to, ids[i]) >= amounts[i], "ERC1155ApprovalByAmount: operator is not approved for that id or amount");
+ if (allowance(from, to, ids[i]) < amounts[i]) {
+ return false;
+ }
unchecked {
_allowances[from][to][ids[i]] -= amounts[i];
++i;
}