Platform: Code4rena
Start Date: 08/01/2024
Pot Size: $83,600 USDC
Total HM: 23
Participants: 116
Period: 10 days
Judge: 0xean
Total Solo HM: 1
Id: 317
League: ETH
Rank: 77/116
Findings: 2
Award: $25.02
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: stackachu
Also found by: 0xA5DF, 0xDING99YA, 0xc695, CipherSleuths, EV_om, HSP, cccz, evmboi32, hals, hash, jasonxiale, juancito, kaden, lanrebayode77, rbserver
22.2973 USDC - $22.30
onERC721Received could fail if the lender is a contract. We could end up with a situation where the lender would not get the NFT back and the borrower would not get the payment.
When finishing a PAY order, an order for which the lender is paying the borrower. The stopRent(...) function is in charge of transferring the NFT to the lender and the paiement to the borrower.
Its logic is the folllowing:
If the NFT transfer was to fail, we would not be able to process the due payments.
The transfer of the NFT is done through the _transferERC721_(...) of the Reclaimer contract. It uses the safeTransferFrom function of the ERC721 standard. This function will check if the receiver is a contract and call the onERC721Received function on it.
If the receiver contract does not implement this function, the transfer will fail and the payments will not be settled.
onERC721Received function.ERC721
#0 - c4-pre-sort
2024-01-21T18:02:26Z
141345 marked the issue as duplicate of #65
#1 - c4-judge
2024-01-28T19:23:10Z
0xean marked the issue as satisfactory
#2 - c4-judge
2024-01-28T20:51:59Z
0xean changed the severity to 3 (High Risk)
#3 - c4-judge
2024-01-30T14:21:44Z
0xean changed the severity to 2 (Med Risk)
🌟 Selected for report: stackachu
Also found by: 0xHelium, 0xabhay, 0xc695, 0xpiken, DeFiHackLabs, EV_om, HSP, J4X, Krace, KupiaSec, Qkite, ZanyBonzy, albertwh1te, cccz, evmboi32, hals, hash, holydevoti0n, krikolkk, ladboy233, lanrebayode77, marqymarq10, oakcobalt, peanuts, peter, rbserver, said, serial-coder, sin1st3r__
2.7205 USDC - $2.72
This is a big issue as it would not let the lender get back the NFT.
When finishing a PAY order, an order for which the lender is paying the borrower. The stopRent(...) function is in charge of transferring the NFT to the lender and the paiement to the borrower.
Its logic is the folllowing:
For some famous tokens like USDT or USDC, the borrower could be a blacklisted address. In the context of a PAY order the borrower is the one receiving the payment.
In order to settle the paiement at the end (or during) a PAY order, the protocol is using the safeTransfer(...) function of the ERC20 standard. This function will check that the payment did not fail and will revert if it did.
EVM blockchains being atomic, if the payment fails, the NFT transfer will also fail and the NFT will not be transferred back to the lender.
It would be stuck in the borrower Safe.
Manual review
ERC20
#0 - c4-pre-sort
2024-01-21T17:36:02Z
141345 marked the issue as duplicate of #64
#1 - c4-judge
2024-01-28T20:49:24Z
0xean changed the severity to 2 (Med Risk)
#2 - c4-judge
2024-01-28T21:00:47Z
0xean marked the issue as satisfactory