Platform: Code4rena
Start Date: 04/03/2024
Pot Size: $88,500 USDC
Total HM: 31
Participants: 105
Period: 11 days
Judge: ronnyx2017
Total Solo HM: 7
Id: 342
League: ETH
Rank: 85/105
Findings: 2
Award: $20.67
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xjuan
Also found by: 0rpse, 0x175, 0xAlix2, 0xBugSlayer, 0xloscar01, Ali-_-Y, Arz, CaeraDenoir, JohnSmith, Ocean_Sky, SpicyMeatball, alix40, ayden, falconhoof, givn, iamandreiski, kinda_very_good, nmirchev8, nnez, novamanbg, stackachu, wangxx2026
17.3162 USDC - $17.32
The vault could end up in a loss
A malicious actor bob would call V3Vault::create to create a position with a recipient that is a contract, howvever this countract would not support the IERC721Receiver interface, this contract would be set as the owner of the position. Bob could then take a loan via this contract. If the position ever becomes undercollaterized and a liquidator attempts to liquidate,the call would revert because the V3Vault::cleanupLoan which is called by the liquidate functions uses safeTransferFrom which expects the reciver to implement IERC721Receiver if they are a contract. bob could also make profits from the funds in the nft by arbitraging them using the V3Vault::transfrom fuction
Manual analysis
An address check could be implemened in the V3Vault::onERC721Received function to ensure that the owner is not a function
ERC721
#0 - c4-pre-sort
2024-03-18T18:41:25Z
0xEVom marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-03-18T18:42:22Z
0xEVom marked the issue as duplicate of #54
#2 - c4-judge
2024-03-31T16:09:17Z
jhsagd76 marked the issue as satisfactory
🌟 Selected for report: kfx
Also found by: 0x175, 0xAlix2, 0xjuan, AMOW, Aymen0909, CaeraDenoir, Giorgio, JCN, JecikPo, JohnSmith, Norah, SpicyMeatball, alexander_orjustalex, atoko, erosjohn, falconhoof, givn, grearlake, jnforja, kinda_very_good, lanrebayode77, nmirchev8, shaka, web3Tycoon, zxriptor
3.3501 USDC - $3.35
A malicious user can stop themselves from being liquidated effecting more loses on the vault
The V3Vault.liquidate requires that the debt shares supplied by the laiquidator parms is the same and the nft id debts shares else it reverts. A malicious actor could take advantage of this by repaying very small amounts eg 1,2 unit amounts when ever they are about to be liquidated to make sure the debt shares decrease without actually making the position solvent
manual analysis
dust repays should not be allowed and the above code block should be removed
Other
#0 - c4-pre-sort
2024-03-18T18:14:01Z
0xEVom marked the issue as sufficient quality report
#1 - c4-pre-sort
2024-03-18T18:15:02Z
0xEVom marked the issue as duplicate of #231
#2 - c4-pre-sort
2024-03-22T12:02:53Z
0xEVom marked the issue as duplicate of #222
#3 - c4-judge
2024-03-31T14:47:29Z
jhsagd76 changed the severity to 2 (Med Risk)
#4 - c4-judge
2024-03-31T16:06:32Z
jhsagd76 marked the issue as satisfactory