Back to souilos's contests

reNFT - souilos's results

Collateral-free, permissionless, and highly customizable EVM NFT rentals.

General Information

Platform: Code4rena

Start Date: 08/01/2024

Pot Size: $83,600 USDC

Total HM: 23

Participants: 116

Period: 10 days

Judge: 0xean

Total Solo HM: 1

Id: 317

League: ETH

reNFT

Findings Distribution

Researcher Performance

Rank: 87/116

Findings: 1

Award: $12.58

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryreNFT

Findings Information

🌟 Selected for report: 0xA5DF

Also found by: 0xmystery, 7ashraf, AkshaySrivastav, CipherSleuths, NentoR, SBSecurity, Tendency, ZanyBonzy, ZdravkoHr, dd0x7e8, hals, haxatron, invitedtea, jasonxiale, juancito, kaden, krikolkk, ladboy233, oakcobalt, peanuts, petro_1912, pkqs90, plasmablocks, ravikiranweb3, rbserver, rokinot, souilos

Awards

12.582 USDC - $12.58

Labels

bug
grade-b
QA (Quality Assurance)
sufficient quality report
Q-23

External Links

Link to GitHub issue

Not setting a maximum limit for the rental duration could result in locking the NFTs into the safe

Impact

  • Likelihood : LOW
  • Impact : HIGH

reNFT allows people to rent NFTs by fulfilling a Seaport order. An owner (lender), can choose to use the BASE method (earn a payout from renting his NFTs) or the PAY method (the renter receveives money by renting the NFTs). The renter will be able to enjoy his rented NFTs, that are gonna placed in a safe (Gnosis) where he is not able to move them to another contract.

As the Safe can be valid for an unlimited period of time, if the rental duration is to long and you cant reclaim your NFTs before it's over (using the BASE method), the NFTs would remain stuck in the safe. Lenders could not get them back and they would be still profitable for renters.

Proof of Concept

In the function Create::_rentFromZone in https://github.com/re-nft/smart-contracts/blob/3ddd32455a849c3c6dc3c3aad7a33a6c9b44c291/src/policies/Create.sol#L530 the endTimestamp is based on the payload.metadata.rentDuration from Seaport:

            // Generate the rental order.
            RentalOrder memory order = RentalOrder({
                seaportOrderHash: seaportPayload.orderHash,
                items: items,
                hooks: payload.metadata.hooks,
                orderType: payload.metadata.orderType,
                lender: seaportPayload.offerer,
                renter: payload.intendedFulfiller,
                rentalWallet: payload.fulfillment.recipient,
                startTimestamp: block.timestamp,
                endTimestamp: block.timestamp + payload.metadata.rentDuration
            });

The only check done is if this rentDuration is not equal to 0 in https://github.com/re-nft/smart-contracts/blob/3ddd32455a849c3c6dc3c3aad7a33a6c9b44c291/src/policies/Create.sol#L631

    function _isValidOrderMetadata(
        OrderMetadata memory metadata,
        bytes32 zoneHash
    ) internal view {
        // Check that the rent duration specified is not zero.
        if (metadata.rentDuration == 0) {
            revert Errors.CreatePolicy_RentDurationZero();
        }

Tools Used

Manual review (vscode).

It would be recommended to set a maximum reasonnable time limit for the rental duration in order to secure renters that rent using BASE method. This maximum duration time could be extended if necessary.

#0 - 141345

2024-01-22T13:56:55Z

157 souilos l r nc 0 0 0

L 1 d dup of https://github.com/code-423n4/2024-01-renft-findings/issues/409

#1 - c4-judge

2024-01-27T20:31:26Z

0xean marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter