_safeMint malicious callback can corrupt _limitOrders data in Position.sol #288
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-400
partial-25
Incomplete articulation of vulnerability; eligible for partial credit only (25%)
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Comments
code423n4
added
2 (Med Risk)
|
Missing a clear Impact and POC, but is valid as a non CEI conformity finding |
|
GalloDaSballo marked the issue as duplicate of #197 |
|
GalloDaSballo marked the issue as not a duplicate |
|
GalloDaSballo marked the issue as duplicate of #400 |
|
25% because missing most of the attack |
|
GalloDaSballo marked the issue as partial-25 |
c4-judge
added
partial-25
|
GalloDaSballo changed the severity to 3 (High Risk) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/Position.sol#L148
Vulnerability details
Impact
Malicious user can use a contract call initiateLimitOrder and get a callback in the Position._safeMint, and then call cancelLimitOrder to burn the position NFT in this callback before _limitOrders and _limitOrderIndexes get updated.
In this case the burn function https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/Position.sol#L264 will wrongly operate _limitOrderIndexes and _limitOrders.
Proof of Concept
todo
Tools Used
manual audit
Recommended Mitigation Steps
use _mint instead of _safeMint to avoid callback
The text was updated successfully, but these errors were encountered: