Back to ToonVH's contests

Ajna Protocol - ToonVH's results

A peer to peer, oracleless, permissionless lending protocol with no governance, accepting both fungible and non fungible tokens as collateral.

General Information

Platform: Code4rena

Start Date: 03/05/2023

Pot Size: $60,500 USDC

Total HM: 25

Participants: 114

Period: 8 days

Judge: Picodes

Total Solo HM: 6

Id: 234

League: ETH

Ajna Protocol

Findings Distribution

Researcher Performance

Rank: 63/114

Findings: 2

Award: $70.26

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAjna Protocol

Findings Information

🌟 Selected for report: 0xTheC0der

Also found by: DadeKuma, Haipls, SpicyMeatball, ToonVH, aviggiano, azhar, evmboi32, juancito, kodyvim, ro1sharkm, rvierdiiev, sakshamguruji

Labels

bug
3 (High Risk)
partial-50
upgraded by judge
duplicate-488

Awards

34.0183 USDC - $34.02

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-core/src/PositionManager.sol#L170-L216 https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-core/src/PositionManager.sol#L227-L241

Vulnerability details

Impact

The mint() and memorializePositions() functions in PositionManager.sol have little access control. As such anyone can mint() an empty NFT to an arbitrary address afterwhich they can memorialize any positions this address has to this NFT. Since the owner of the position becomes the owner of the NFT no funds are lost, however this can still be used to grief the owner. The only constraint is that the owner needs to have approved the PositionManager, this could be the case if the owner previously minted/memorialized any NFTs.

File: PositionManager.sol
170:     function memorializePositions(
171:         MemorializePositionsParams calldata params_
172:     ) external override {
173:         EnumerableSet.UintSet storage positionIndex = positionIndexes[params_.tokenId];
174: 
175:         IPool   pool  = IPool(poolKey[params_.tokenId]);
176:         address owner = ownerOf(params_.tokenId);

             ...

212:         // update pool LP accounting and transfer ownership of LP to PositionManager contract
213:         pool.transferLP(owner, address(this), params_.indexes);
214: 
215:         emit MemorializePosition(owner, params_.tokenId, params_.indexes);
216:     }

Tools Used

Manual review

  • Verify that msg.sender is the recipient/owner of the NFT during minting/memorialization.

Assessed type

Access Control

#0 - c4-judge

2023-05-12T10:08:57Z

Picodes marked the issue as duplicate of #488

#1 - Picodes

2023-05-29T20:26:34Z

The impact described does not qualify for High Severity - the loss of funds scenario without external requirements is not obvious.

#2 - c4-judge

2023-05-29T20:26:39Z

Picodes marked the issue as partial-50

#3 - c4-judge

2023-05-30T21:48:18Z

Picodes changed the severity to 3 (High Risk)

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter