Platform: Code4rena
Start Date: 27/04/2022
Pot Size: $50,000 MIM
Total HM: 6
Participants: 59
Period: 5 days
Judge: 0xean
Id: 113
League: ETH
Rank: 40/59
Findings: 1
Award: $72.64
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x1337, 0x1f8b, 0xDjango, 0xf15ers, AuditsAreUS, BowTiedWardens, CertoraInc, Funen, GimelSec, MaratCerby, Ruhum, WatchPug, antonttc, berndartmueller, bobi, bobirichman, broccolirob, catchup, cccz, defsec, delfin454000, gs8nrv, gzeon, horsefacts, hubble, hyh, ilan, jah, joestakey, kebabsec, kenta, kenzo, m9800, mics, oyc_109, pauliax, reassor, robee, samruna, sikorico, simon135, throttle, unforgiven, z3s
72.6404 MIM - $72.64
https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/NFTPair.sol#L395-L422 https://github.com/code-423n4/2022-04-abranft/blob/main/contracts/NFTPair.sol#L353-L387
The functions NFTPair.requestAndBorrow and NFTPair.takeCollateralAndLend are both making use of the ecrecover function, which will return the 0 address if it can't match the signature. See the solidity docs for more https://docs.soliditylang.org/en/v0.6.12/units-and-global-variables.html#mathematical-and-cryptographic-functions
Call requestAndBorrow with lender == 0 and an incorrect signature. The require statement will pass, and continue to process _requestLoan and _lend functions.
Manual Analysis
Verify that the returned address from ecrecover != 0
#0 - cryptolyndon
2022-05-06T04:34:20Z
Duplicate of #1 and #2
#1 - 0xean
2022-05-20T22:57:20Z
see #2 for explanation. Downgrading to QA
#2 - JeeberC4
2022-05-23T19:08:07Z
Preserving original title: ecrecover return not checked for 0 address