Platform: Code4rena
Start Date: 03/05/2023
Pot Size: $60,500 USDC
Total HM: 25
Participants: 114
Period: 8 days
Judge: Picodes
Total Solo HM: 6
Id: 234
League: ETH
Rank: 62/114
Findings: 2
Award: $70.26
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xTheC0der
Also found by: DadeKuma, Haipls, SpicyMeatball, ToonVH, aviggiano, azhar, evmboi32, juancito, kodyvim, ro1sharkm, rvierdiiev, sakshamguruji
34.0183 USDC - $34.02
https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-core/src/PositionManager.sol#L170
Anyone can call memorializePositions with any user NFT and transfer ownership of any previously approved LP tokens to the PositionManager contract.
memorializePositions stamps the given NFT with the underlying liquidity positions in a given array of bucket indexes and transfers the LPB to the PositionManager contract, since this function does not check if the caller is the owner of the NFT, the LP tokens may be transfer to the PositionManager contract at an inappropriate time, impacting the position management strategy of the owner.
https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-core/src/PositionManager.sol#L170
Manuel Review
Add a check to compare the owner of the nft against the msg.sender in memorializePositions.
Access Control
#0 - c4-judge
2023-05-12T10:08:26Z
Picodes marked the issue as duplicate of #488
#1 - c4-judge
2023-05-29T20:25:11Z
Picodes marked the issue as partial-50
#2 - Picodes
2023-05-29T20:25:31Z
The impact described does not qualify for High Severity - the loss of funds scenario without external requirements is not obvious.
#3 - c4-judge
2023-05-30T21:48:18Z
Picodes changed the severity to 3 (High Risk)
🌟 Selected for report: rbserver
Also found by: 0xnev, ABAIKUNANBAEV, Audit_Avengers, Aymen0909, BGSecurity, BRONZEDISC, Bason, DadeKuma, GG_Security, Jerry0x, Jorgect, MohammedRizwan, REACH, Sathish9098, Shogoki, T1MOH, UniversalCrypto, aviggiano, ayden, berlin-101, bytes032, codeslide, descharre, fatherOfBlocks, hals, kaveyjoe, kodyvim, lfzkoala, lukris02, nadin, naman1778, patitonar, pontifex, sakshamguruji, squeaky_cactus, teawaterwire, wonjun, yjrwkk
36.2377 USDC - $36.24
if a user has approved his/her nft to someone or any protocol building on top of ajna they would not be able to stake on behave of the user, since the stake function only allows the owner. https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-core/src/RewardsManager.sol#L213 Recommended Mitigation: consider adding this check:
address owner = IERC721(address(positionManager)).ownerOf(tokenId_); address approved = IERC721(address(positionManager)).getApproved(tokenId_); if (owner != msg.sender && approved != msg.sender) revert NotOwnerOfDeposit();
fromPosition.depositTime is never resets to zeroThere is a check if a user has already move liquidity after they've already done so but the fromPosition.depositTime which is a storage variable was never set to zero after moving the liquidity.
https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-core/src/PositionManager.sol#L268-L271
vars.depositTime = fromPosition.depositTime; // handle the case where owner attempts to move liquidity after they've already done so if (vars.depositTime == 0) revert RemovePositionFailed();
set fromPosition.depositTime to zero after moving liquidity.
https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/base/Funding.sol#L99 fix comment to show the exact intent
- * @param values_ The amounts of ETH to send to each target. + * @param values_ The amounts of ETH to send to each target should always be zero.
https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/base/Funding.sol#L21
change immutable to constant.
address public immutable ajnaTokenAddress = 0x9a96ec9B57Fb64FbC60B423d1f4da7691Bd35079;
#0 - c4-judge
2023-05-18T19:19:18Z
Picodes marked the issue as grade-b