Platform: Code4rena
Start Date: 05/04/2022
Pot Size: $30,000 USDC
Total HM: 10
Participants: 47
Period: 3 days
Judge: gzeon
Total Solo HM: 4
Id: 106
League: ETH
Rank: 19/47
Findings: 2
Award: $235.69
π Selected for report: 0
π Solo Findings: 0
π Selected for report: WatchPug
Also found by: Dravee, berndartmueller, hake, jah, minhquanym
181.4136 USDC - $181.41
https://github.com/code-423n4/2022-04-backed/blob/main/contracts/NFTLoanFacilitator.sol#L88 https://github.com/code-423n4/2022-04-backed/blob/main/contracts/NFTLoanFacilitator.sol#L124
While the contracts use in most places safeTransferFrom() to transfer NFTs, there are a few cases where the unsafe counterpart transferFrom() is used.
safeTransferFrom checks that contract recipients are aware of the ERC721 protocol to prevent tokens from being forever locked.
NFTLoanFacilitator.createLoan() NFTLoanFacilitator.closeLoan()
Manual review
Consider using safeTransferFrom() consistently.
As the NFTLoanFacilitator contract is receiving NFTs itself, the contract has to implement the interface ERC721TokenReceiver. To prevent reentrancy, consider adding a reentrancy guard to both functions as a safety precaution in case any other functionality is added later which might make this exploitable.
#0 - wilsoncusack
2022-04-08T00:00:11Z
createLoan case is not relevant, we are transferring to ourself and are handling in our own logic.
closeLoan is an outlier using transferFrom but I think we will probably switch all safeTransferFrom to transferFrom
#1 - wilsoncusack
2022-04-08T00:01:25Z
#11
#2 - wilsoncusack
2022-04-08T00:03:42Z
#83 is now canonical
#3 - gzeoneth
2022-04-15T12:53:07Z
Duplicate of #83
π Selected for report: IllIllI
Also found by: 0v3rf10w, 0x1f8b, 0xDjango, 0xkatana, BouSalman, CertoraInc, Dravee, FSchmoede, Hawkeye, Kenshin, Meta0xNull, PPrieditis, Ruhum, TerrierLover, VAD37, WatchPug, berndartmueller, csanuragjain, hake, horsefacts, hubble, m9800, rayn, reassor, robee, samruna, securerodd, shenwilly, sorrynotsorry, t11s, teryanarmen, tintin, z3s
54.2825 USDC - $54.28
None
Zero-address checks are a best-practice for input validation of critical address parameters.
Impact: If _nftLoanFacilitator is set to address(0), it will break the contract and deployment of a new contract is necessary.
NFTLoanTicket.constructor()#_nftLoanFacilitator
Add zero-address check:
require(address(_nftLoanFacilitator) != address(0), "Zero address");
By using _mint() a minted NFT can get stuck in a recipients contract if the contract not designed to handle them. safeMint() checks whether the recipient contract can handle ERC721 tokens.
Its is recommended to use _safeMint whenever possible.
_safeMint(to, tokenId);