reNFT - anshujalan's results

Collateral-free, permissionless, and highly customizable EVM NFT rentals.

General Information

Platform: Code4rena

Start Date: 08/01/2024

Pot Size: $83,600 USDC

Total HM: 23

Participants: 116

Period: 10 days

Judge: 0xean

Total Solo HM: 1

Id: 317

League: ETH

reNFT

Findings Distribution

Researcher Performance

Rank: 98/116

Findings: 1

Award: $8.62

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository reNFT

Findings Information

🌟 Selected for report: LokiThe5th

Also found by: 0xAlix2, BI_security, Coverage, EV_om, Giorgio, KupiaSec, Qkite, SBSecurity, anshujalan, evmboi32, hals, juancito, krikolkk, oakcobalt, rbserver, rokinot, roleengineer, said, sin1st3r__, trachev, yashar

Awards

8.618 USDC - $8.62

Labels

bug

2 (Med Risk)

satisfactory

duplicate-323

External Links

Link to GitHub issue

Lines of code

https://github.com/re-nft/smart-contracts/blob/3ddd32455a849c3c6dc3c3aad7a33a6c9b44c291/src/policies/Guard.sol#L195-L294

Vulnerability details

Summary

Several completely honest ERC721 & ERC1155 token contracts implement Openzeppelin's burnable interface that allows the owner of the NFT to burn it irreversibly.
- ERC721Burnable: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC721/extensions/ERC721Burnable.sol
- ERC1155Burnable: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC1155/extensions/ERC1155Burnable.sol
Rented NFTs are held by the rental safes that guards all outbound transactions using the Guard policy.
However, the Guard policy does not block calls to the burn function through the rental safes, thus allowing the renters to potentially the destroy a rented NFT held by their safe.
Popular examples each of mainnet deployed ERC721 and ERC1155 contracts that have the burnable interface:
- ERC721: https://etherscan.io/token/0xbd3531da5cf5857e7cfaa92426877b022e612cf8#code
- ERC1155: https://etherscan.io/token/0x6811f2f20c42f42656a3c8623ad5e9461b83f719#code

Impact

The lender loses their NFT irreversibly.
The order can never be stopped since the internal NFT reclaim transaction always fails.

Proof of Concept

Guard policy does not block ERC721::burn, ERC1155::burn and ERC1155::burnBatch: https://github.com/re-nft/smart-contracts/blob/3ddd32455a849c3c6dc3c3aad7a33a6c9b44c291/src/policies/Guard.sol#L195-L293
Reclaim fails when rental is stopped: https://github.com/re-nft/smart-contracts/blob/3ddd32455a849c3c6dc3c3aad7a33a6c9b44c291/src/policies/Stop.sol#L293

Tools Used

Manual review

Recommended Mitigation Steps

Block transactions to the functions of the burnable interface using Guard policy: ERC721::burn, ERC1155::burn and ERC1155::burnBatch

Assessed type

Other

#0 - c4-pre-sort
2024-01-21T17:39:42Z

141345 marked the issue as duplicate of #323

#1 - c4-judge
2024-01-28T20:06:42Z

0xean marked the issue as satisfactory

#2 - c4-judge
2024-01-28T20:06:42Z

0xean marked the issue as satisfactory

reNFT - anshujalan's results

Collateral-free, permissionless, and highly customizable EVM NFT rentals.

General Information

Findings Distribution

Researcher Performance

External Links

[M-08] Renters can burn rented NFTs if the token contract implements Openzeppelin's ERC721Burnable/ERC1155Burnable interface - $8.62

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Summary

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-pre-sort2024-01-21T17:39:42Z

#1 - c4-judge2024-01-28T20:06:42Z

#2 - c4-judge2024-01-28T20:06:42Z

#0 - c4-pre-sort
2024-01-21T17:39:42Z

#1 - c4-judge
2024-01-28T20:06:42Z

#2 - c4-judge
2024-01-28T20:06:42Z