Astaria contest - 7siech's results

On a mission is to build a highly liquid NFT lending market.

General Information

Platform: Code4rena

Start Date: 05/01/2023

Pot Size: $90,500 USDC

Total HM: 55

Participants: 103

Period: 14 days

Judge: Picodes

Total Solo HM: 18

Id: 202

League: ETH

Astaria

Findings Distribution

Researcher Performance

Rank: 56/103

Findings: 1

Award: $104.25

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Astaria

Findings Information

🌟 Selected for report: csanuragjain

Also found by: 7siech, KIntern_NA, Koolex, bin2chen, cergyk, evan, obront, unforgiven

Labels

bug

3 (High Risk)

satisfactory

duplicate-19

Awards

104.2518 USDC - $104.25

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-01-astaria/blob/main/src/VaultImplementation.sol#L287

Vulnerability details

Impact

Once a borrower has committed to a loan, any subsequent loans made through VaultImplementation.commitToLien directly can specify any address as the receiver.

One potential threat vector is a public vault can try to motivate existing borrowers to take out a new loan with very attractive terms and make them sign a transaction interacting with the PublicVault directly.

To make the receiver more opaque, the malicious strategist can specify the vault address as the receiver. In the previous epoch, the colluding LP can request to withdraw their capital and can thus drain the vault of the loan issued to the vault itself.

The result is that the borrower will not receive the loan amount, but is still responsible for paying it back potentially resulting in liquidation of their collateral NFT.

Proof of Concept

Forge test -

https://gist.github.com/simonpure/a5305a0d9436ddf5a7cad2fff01f69ee#file-vaultexploit-t-sol

Logs - https://gist.github.com/simonpure/a5305a0d9436ddf5a7cad2fff01f69ee#file-log-txt

Tools Used

Forge

Recommended Mitigation Steps

Limit committing to liens through AstariaRouter.commitToLiens link
Make VaultImplementation.commitToLien a privileged call for the router only link

#0 - c4-judge
2023-01-26T16:41:16Z

Picodes marked the issue as duplicate of #565

#1 - c4-judge
2023-02-15T07:13:43Z

Picodes marked the issue as satisfactory

#2 - Picodes
2023-02-15T07:14:15Z

The mitigation and identification or the root bug could be clearer

#3 - c4-judge
2023-02-15T07:18:02Z

Picodes changed the severity to QA (Quality Assurance)

#4 - c4-judge
2023-02-15T07:22:03Z

This previously downgraded issue has been upgraded by Picodes

#5 - c4-judge
2023-02-15T07:31:15Z

Picodes marked the issue as not a duplicate

#6 - c4-judge
2023-02-15T07:31:27Z

Picodes marked the issue as duplicate of #19

Astaria contest - 7siech's results

On a mission is to build a highly liquid NFT lending market.

General Information

Findings Distribution

Researcher Performance

External Links

[H-21] Can send loan to any receiver including the vault itself - $104.25

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - c4-judge2023-01-26T16:41:16Z

#1 - c4-judge2023-02-15T07:13:43Z

#2 - Picodes2023-02-15T07:14:15Z

#3 - c4-judge2023-02-15T07:18:02Z

#4 - c4-judge2023-02-15T07:22:03Z

#5 - c4-judge2023-02-15T07:31:15Z

#6 - c4-judge2023-02-15T07:31:27Z

#0 - c4-judge
2023-01-26T16:41:16Z

#1 - c4-judge
2023-02-15T07:13:43Z

#2 - Picodes
2023-02-15T07:14:15Z

#3 - c4-judge
2023-02-15T07:18:02Z

#4 - c4-judge
2023-02-15T07:22:03Z

#5 - c4-judge
2023-02-15T07:31:15Z

#6 - c4-judge
2023-02-15T07:31:27Z