Platform: Code4rena
Start Date: 03/05/2023
Pot Size: $60,500 USDC
Total HM: 25
Participants: 114
Period: 8 days
Judge: Picodes
Total Solo HM: 6
Id: 234
League: ETH
Rank: 95/114
Findings: 1
Award: $34.02
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xTheC0der
Also found by: DadeKuma, Haipls, SpicyMeatball, ToonVH, aviggiano, azhar, evmboi32, juancito, kodyvim, ro1sharkm, rvierdiiev, sakshamguruji
34.0183 USDC - $34.02
https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-core/src/PositionManager.sol#L176 https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-core/src/base/Pool.sol#L515-L516
PositionManager contract allows anyone to memorializePosition lender's NFT position without the owner's permission. if the owner already gave allowance to PositionManager's contract address in Pool contracts' approveLPTransferors function. Under the PostionManager contract memorializePositions function it's get address owner = ownerOf(params_.tokenId); owner address from user submitted params. that's the bug here.
For example Alice has 1 position NFT and he gave allowance to positionmanager's contract address and he decided after 2-3 months he could memorialize that but the BOB noticed this. Bob memorialize the Alice's NFT after Alice gave the allowance.
Manual Review
Inside the memorializePositions function check the user access like this
address owner = ownerOf(params_.tokenId); require(owner == msg.sender, "Not Allowed");
Access Control
#0 - c4-judge
2023-05-18T17:59:49Z
Picodes marked the issue as duplicate of #356
#1 - c4-judge
2023-05-30T21:47:11Z
Picodes marked the issue as duplicate of #488
#2 - c4-judge
2023-05-30T21:48:05Z
Picodes marked the issue as satisfactory
#3 - c4-judge
2023-05-30T21:48:13Z
Picodes marked the issue as partial-50
#4 - c4-judge
2023-05-30T21:48:18Z
Picodes changed the severity to 3 (High Risk)