AbraNFT contest - unforgiven's results

A peer to peer lending platform, using NFTs as collateral.

General Information

Platform: Code4rena

Start Date: 27/04/2022

Pot Size: $50,000 MIM

Total HM: 6

Participants: 59

Period: 5 days

Judge: 0xean

Id: 113

League: ETH

Abracadabra Money

Findings Distribution

Researcher Performance

Rank: 42/59

Findings: 1

Award: $72.47

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Abracadabra Money

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1337, 0x1f8b, 0xDjango, 0xf15ers, AuditsAreUS, BowTiedWardens, CertoraInc, Funen, GimelSec, MaratCerby, Ruhum, WatchPug, antonttc, berndartmueller, bobi, bobirichman, broccolirob, catchup, cccz, defsec, delfin454000, gs8nrv, gzeon, horsefacts, hubble, hyh, ilan, jah, joestakey, kebabsec, kenta, kenzo, m9800, mics, oyc_109, pauliax, reassor, robee, samruna, sikorico, simon135, throttle, unforgiven, z3s

Awards

72.4741 MIM - $72.47

Labels

bug

QA (Quality Assurance)

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-04-abranft/blob/5cd4edc3298c05748e952f8a8c93e42f930a78c2/contracts/NFTPair.sol#L365-L386 https://github.com/code-423n4/2022-04-abranft/blob/5cd4edc3298c05748e952f8a8c93e42f930a78c2/contracts/NFTPair.sol#L405-L422

Vulnerability details

Impact

Right now this doesn't have critical impact, because sending zero address to _lend and _requestLoan will revert the transaction. but with bypassing signature check, if logics of those function changes, then this will cause a fund lose.

Proof of Concept

The code don't check that lender and borrower address is not zero. ecrecover() will return zero if the signature is not valid and attacker can send wrong signature with zero address for lender/browser and bypass signature check. Of course in the codes after this signature check, code will revert, but still the signature check logic is not complete.

Tools Used

VIM

Recommended Mitigation Steps

add this line to requestAndBorrow: require(address(lender) != address(0), "NFTPair: lender is zero");

and this line to takeCollateralAndLend: require(address(borrower) != address(0), "NFTPair: lender is zero");

#0 - cryptolyndon
2022-05-05T02:51:57Z

Duplicate of #1 and #2. Number one is (very) theoretically possible, so I'll merely mark this as a duplicate with disputed severity, for reasons outlined in #1.

#1 - 0xean
2022-05-21T00:21:04Z

downgrading to QA per explanation in #2

#2 - JeeberC4
2022-05-23T19:05:26Z

Preserving original title: In requestAndBorrow() and takeCollateralAndLend() signature validation can be by passed by sending zero address for lender or browser

AbraNFT contest - unforgiven's results

A peer to peer lending platform, using NFTs as collateral.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-15] QA Report - $72.47

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - cryptolyndon2022-05-05T02:51:57Z

#1 - 0xean2022-05-21T00:21:04Z

#2 - JeeberC42022-05-23T19:05:26Z

#0 - cryptolyndon
2022-05-05T02:51:57Z

#1 - 0xean
2022-05-21T00:21:04Z

#2 - JeeberC4
2022-05-23T19:05:26Z