onERC721Received Explained in Detail
onERC721Received is called when an ERC721 token is safely transferred to a contract. The recipient must return the expected selector to accept the token.
This hook is an external callback during token movement.
Smart contract example
function onERC721Received(
address operator,
address from,
uint256 tokenId,
bytes calldata data
) external returns (bytes4);
The expected return value is IERC721Receiver.onERC721Received.selector.
onERC721Received in Auditing
Receiver hooks give recipient contracts control during a transfer. If the sender updates critical state after the hook, a malicious receiver may reenter and exploit stale state.
Auditors check both the token contract and receiver contracts.
Red flags in code
-
The token ignores the returned selector.
-
The receiver is trusted without review.
-
Ownership or mint-limit state changes after the hook.
-
The receiver can call back into mint, transfer, claim, or withdraw flows.
-
Gas-heavy receivers can grief transfers.
How to test or review it
-
Test receivers returning correct and incorrect selectors.
-
Test receivers that revert.
-
Test receivers that reenter the token contract.
-
Confirm state is safe before the hook runs.
-
Review any receiver-side logic that trusts
operator,from, ordata.