Platform: Code4rena
Start Date: 04/03/2024
Pot Size: $88,500 USDC
Total HM: 31
Participants: 105
Period: 11 days
Judge: ronnyx2017
Total Solo HM: 7
Id: 342
League: ETH
Rank: 31/105
Findings: 2
Award: $440.80
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xjuan
Also found by: CaeraDenoir, Tigerfrake, Timenov, novamanbg, santiellena
398.0218 USDC - $398.02
https://github.com/code-423n4/2024-03-revert-lend/blob/main/src/transformers/V3Utils.sol#L115-L352
In V3Utils::execute, users can Execute instruction by pulling approved NFT instead of direct safeTransferFrom call from owner. However there is no validation whether the caller is the owner of the tokenId or approved address.
As we can see in executeWithPermit, there is a validation:
if (nonfungiblePositionManager.ownerOf(tokenId) != msg.sender) { revert Unauthorized(); }
But there is no such check in execute or a check if the msg.sender is approved.
Consider the following scenario:
nonfungiblePositionManager.execute with his instructions.Manual Review
Add validation if the msg.sender is owner or approved.
Access Control
#0 - c4-pre-sort
2024-03-22T16:27:45Z
0xEVom marked the issue as duplicate of #141
#1 - c4-pre-sort
2024-03-22T16:27:50Z
0xEVom marked the issue as sufficient quality report
#2 - c4-judge
2024-04-01T06:44:40Z
jhsagd76 marked the issue as satisfactory
#3 - c4-judge
2024-04-01T15:42:48Z
jhsagd76 changed the severity to 3 (High Risk)
🌟 Selected for report: Bauchibred
Also found by: 0x11singh99, 0x175, 0xAlix2, 0xDemon, 0xGreyWolf, 0xPhantom, 0xspryon, 14si2o_Flint, Arabadzhiev, Aymen0909, Bigsam, BowTiedOriole, CRYP70, DanielArmstrong, FastChecker, JecikPo, KupiaSec, MohammedRizwan, Norah, Timenov, Topmark, VAD37, adeolu, btk, crypticdefense, cryptphi, givn, grearlake, jnforja, kennedy1030, kfx, ktg, lanrebayode77, n1punp, santiellena, stonejiajia, t4sk, thank_you, tpiliposian, wangxx2026, y0ng0p3, zaevlad
42.7786 USDC - $42.78
https://github.com/code-423n4/2024-03-revert-lend/blob/435b054f9ad2404173f36f0f74a5096c894b12b7/src/transformers/LeverageTransformer.sol#L39-L40 https://github.com/code-423n4/2024-03-revert-lend/blob/435b054f9ad2404173f36f0f74a5096c894b12b7/src/transformers/LeverageTransformer.sol#L122-L123
As per the comments of the functions leverageUp and leverageDown in LeverageTransformer.sol, these functions are supposed to be called by the transform function in the Vault. However there is no such protection and anyone can call them.
As there is no access control, a malicious user can craft a smart contract that will use for his needs.
First lets look at what the attacker can configure leverageUp function.
token will be IVault(msg.sender).asset()IVault(msg.sender).borrow(params.tokenId, amount)Now lets look at leverageDown.
IVault(msg.sender).asset()SafeERC20.safeApprove(IERC20(token), msg.sender, amount)IVault(msg.sender).repay(params.tokenId, amount, false)Manual Review
Add state variable of type address vault, set the value in the constructor, add validation require(msg.sender == vault, "only vault.");. Also function updateVault can be created in order to change the address in the future. Do not forget to add onlyOwner modifier to that function.
Access Control
#0 - c4-pre-sort
2024-03-16T10:09:50Z
0xEVom marked the issue as duplicate of #366
#1 - c4-pre-sort
2024-03-18T09:24:11Z
0xEVom marked the issue as sufficient quality report
#2 - c4-judge
2024-03-29T01:44:21Z
jhsagd76 changed the severity to QA (Quality Assurance)
#3 - c4-judge
2024-03-29T01:45:29Z
jhsagd76 marked the issue as grade-a
#4 - jhsagd76
2024-03-29T01:45:31Z
L-A