Platform: Code4rena
Start Date: 27/04/2022
Pot Size: $50,000 MIM
Total HM: 6
Participants: 59
Period: 5 days
Judge: 0xean
Id: 113
League: ETH
Rank: 45/59
Findings: 1
Award: $72.40
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x1337, 0x1f8b, 0xDjango, 0xf15ers, AuditsAreUS, BowTiedWardens, CertoraInc, Funen, GimelSec, MaratCerby, Ruhum, WatchPug, antonttc, berndartmueller, bobi, bobirichman, broccolirob, catchup, cccz, defsec, delfin454000, gs8nrv, gzeon, horsefacts, hubble, hyh, ilan, jah, joestakey, kebabsec, kenta, kenzo, m9800, mics, oyc_109, pauliax, reassor, robee, samruna, sikorico, simon135, throttle, unforgiven, z3s
72.4009 MIM - $72.40
If by mistake, the 'to' address parameter in function requestLoan(), is set to zero address by the UI or thru direct function call, then the NFT will get stuck within the NFTPair contract, with no means of transferring it to any other owner.
After the requestLoan() call, the NFT will be transferred to the NFTPair contract address, and both lend() and removeCollateral() will fail, due to the loan.borrower set to zero address.
No means of rescuing the NFT token, its equivalent to loss of NFT.
Contract : NFTPair.sol Functions : requestLoan() line# 221 loan.borrower = to;
Add a simple null check for the 'to' address in the requestLoan() function. Additionally its good to add null check for 'recipient' address in function requestAndBorrow() also.
#0 - cryptolyndon
2022-05-05T22:38:36Z
Duplicate of #91.
#1 - 0xean
2022-05-21T14:17:59Z
downgrading to QA.
#2 - JeeberC4
2022-05-23T19:11:11Z
Preserving original title: NFT token will get stuck in the NFTPair contract, if requestLoan initiated with null 'to' address