diff --git a/contracts/NFTBucket.sol b/contracts/NFTBucket.sol index 785ca9f..08383a8 100644 --- a/contracts/NFTBucket.sol +++ b/contracts/NFTBucket.sol @@ -148,6 +148,7 @@ contract NFTBucket is IERC165, IERC721Receiver { } function onERC721Received(address _operator, address _from, uint256 _tokenID, bytes calldata _data) external override(IERC721Receiver) returns(bytes4) { + require(msg.sender == address(tokenContract), "only the NFT contract can call this"); require((_operator == owner) || (_from == owner), "only the owner can create gifts"); require(_data.length == 52, "invalid data field"); diff --git a/test/nft_contract_spec.js b/test/nft_contract_spec.js index 7de9034..2f1d0cf 100644 --- a/test/nft_contract_spec.js +++ b/test/nft_contract_spec.js @@ -197,6 +197,16 @@ contract("NFTBucket", function () { }); + it("cannot create two gifts for the same token", async function() { + try { + await NFTBucket.methods.onERC721Received(shop, shop, 0xcafe, createGiftData(keycard_3)).send({from: shop}); + assert.fail("transfer should have failed"); + } catch(e) { + assert.match(e.message, /only the NFT/); + } + + }); + async function testRedeem(receiver, recipient, signer, relayer, redeemCode, blockNumber, blockHash) { let gift = await NFTBucket.methods.gifts(recipient).call(); const tokenID = gift.tokenID;