Platform: Code4rena
Start Date: 18/04/2024
Pot Size: $36,500 USDC
Total HM: 19
Participants: 183
Period: 7 days
Judge: Koolex
Id: 367
League: ETH
Rank: 180/183
Findings: 1
Award: $0.02
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: MrPotatoMagic
Also found by: 0x175, 0x486776, 0x77, 0xAkira, 0xAsen, 0xDemon, 0xabhay, 0xblack_bird, 0xlemon, 0xloscar01, 0xtankr, 3docSec, 4rdiii, Abdessamed, AlexCzm, Angry_Mustache_Man, BiasedMerc, Circolors, Cryptor, DMoore, DPS, DedOhWale, Dinesh11G, Dots, GalloDaSballo, Giorgio, Honour, Imp, Jorgect, Krace, KupiaSec, Mrxstrange, NentoR, Pechenite, PoeAudits, Ryonen, SBSecurity, Sabit, T1MOH, TheFabled, TheSavageTeddy, Tychai0s, VAD37, Vasquez, WildSniper, ZanyBonzy, adam-idarrha, alix40, asui, blutorque, btk, c0pp3rscr3w3r, caglankaan, carrotsmuggler, d_tony7470, dimulski, dinkras, djxploit, falconhoof, forgebyola, grearlake, imare, itsabinashb, josephdara, kartik_giri_47538, ke1caM, kennedy1030, koo, lionking927, ljj, niser93, pep7siup, poslednaya, ptsanev, sashik_eth, shaflow2, steadyman, turvy_fuzz, ubl4nk, valentin_s2304, web3km, xyz, y4y, zhaojohnson, zigtur
0.0234 USDC - $0.02
User who own the deposited ID cannot make withdrawal
VaultManagerV2::deposit() functions for users to deposit collateral into the vault they own. This function allows anyone to make a deposit to a valid DNFT ID using the isValidDNft modifier. In this function there is also logic to block the possibility of a flash loan attack by applying the code as below:
idToBlockOfLastDeposit[id] = block.number;
By implementing this, users cannot make withdrawals on the same block number
if (idToBlockOfLastDeposit[id] == block.number) revert DepositedInSameBlock();
The main problem here lies in the modifier used, isValidDNft. isValidDNft only checks that the owner of the ID is not address(0). This way, it allows anyone to make a deposit to the vault from a valid ID and blocks the owner of the vault (deposited ID) from making withdrawals.
The scenario will be like this :
isValidDNft only checks whether Alice's DNFT ID = address(0) or not (since the beginning Alice's DNFT ID is valid, not address(0))idToBlockOfLastDeposit[id] will be updated according to the block.number when Bob made the deposit.block.number, Alice's withdrawal will always revert because idToBlockOfLastDeposit[id] == block.number1 wei and update the value of idToBlockOfLastDepositManual review
Consider limiting only DNFT ID owners who can make deposits using the isDNftOwner modifier
function deposit( uint id, address vault, uint amount ) external isValidDNft(id) isDNftOwner(id) { idToBlockOfLastDeposit[id] = block.number; Vault _vault = Vault(vault); _vault.asset().safeTransferFrom(msg.sender, address(vault), amount); _vault.deposit(id, amount); }
DoS
#0 - c4-pre-sort
2024-04-27T11:28:59Z
JustDravee marked the issue as duplicate of #1103
#1 - c4-pre-sort
2024-04-27T11:45:41Z
JustDravee marked the issue as duplicate of #489
#2 - c4-pre-sort
2024-04-29T09:26:20Z
JustDravee marked the issue as sufficient quality report
#3 - c4-judge
2024-05-05T20:38:13Z
koolexcrypto marked the issue as unsatisfactory: Invalid
#4 - c4-judge
2024-05-05T20:39:22Z
koolexcrypto marked the issue as unsatisfactory: Invalid
#5 - c4-judge
2024-05-05T21:31:20Z
koolexcrypto marked the issue as nullified
#6 - c4-judge
2024-05-05T21:31:27Z
koolexcrypto marked the issue as not nullified
#7 - c4-judge
2024-05-08T15:29:06Z
koolexcrypto marked the issue as duplicate of #1001
#8 - c4-judge
2024-05-11T19:50:47Z
koolexcrypto marked the issue as satisfactory