safeTransferFrom Explained in Detail
safeTransferFrom moves tokens and checks whether a contract recipient accepts them. ERC721 uses token ownership. ERC1155 uses per-ID balances for single-ID transfers. ERC1155 batch movement uses safeBatchTransferFrom.
The function must enforce authorization before moving assets.
Smart contract example
safeTransferFrom(from, to, tokenId, data);
safeTransferFrom(from, to, id, amount, data);
ERC721 and ERC1155 use similar names but different arguments.
safeTransferFrom in Auditing
safeTransferFrom is a high-traffic asset movement function. It touches authorization, balances or ownership, receiver hooks, and events.
Auditors treat it as a sensitive entry point, especially in custom token implementations.
Red flags in code
-
Missing owner, approval, or operator checks.
-
Receiver hook return values are not validated.
-
State updates happen after external callbacks.
-
ERC1155 arrays are not length-checked.
-
Custom code handles ERC721 and ERC1155 flows interchangeably.
How to test or review it
-
Test owner, approved address, approved operator, and unauthorized caller.
-
Transfer to accepting, rejecting, reverting, and reentrant receivers.
-
Check ERC1155 single and batch edge cases.
-
Confirm balances, ownership, approvals, and events match final state.
-
Review callback ordering for reentrancy risk.