_safeMint malicious callback can corrupt _limitOrders data in Position.sol #288
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-400
partial-25
Incomplete articulation of vulnerability; eligible for partial credit only (25%)
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/Position.sol#L148
Vulnerability details
Impact
Malicious user can use a contract call initiateLimitOrder and get a callback in the Position._safeMint, and then call cancelLimitOrder to burn the position NFT in this callback before _limitOrders and _limitOrderIndexes get updated.
In this case the burn function https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/Position.sol#L264 will wrongly operate _limitOrderIndexes and _limitOrders.
Proof of Concept
todo
Tools Used
manual audit
Recommended Mitigation Steps
use _mint instead of _safeMint to avoid callback
The text was updated successfully, but these errors were encountered: