New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Anyone can make a collateral token owner takes a loan without consent #214
Comments
This finding doesn't do the job of explaining the root cause of the issue, although I guess from the |
Picodes marked the issue as duplicate of #565 |
Picodes marked the issue as partial-50 |
Picodes marked the issue as full credit |
Picodes marked the issue as satisfactory |
Picodes changed the severity to QA (Quality Assurance) |
This previously downgraded issue has been upgraded by Picodes |
Picodes marked the issue as not a duplicate |
Picodes marked the issue as duplicate of #19 |
Lines of code
https://github.com/code-423n4/2023-01-astaria/blob/main/src/VaultImplementation.sol#L237-L244
Vulnerability details
Impact
Let's say Bob used his NFT as a collateral which allowed him to take loans up to 50 ether as a max potential debt. Bob decided to borrow only 10 ether. As per the protocol's logic, Bob can give consent by approving another actor (e.g. operator) to take loans on his behalf.
However, a malicious actor can still make Bob takes additional loans (commitToLien) without his consent. This results in:
Proof of Concept
Please create a file with a name LoanWithoutConsentTest.t.sol under src/test/ directory.
Add the following code to the file.
The test will pass.
Note:This attack isn't possible when using AstariaRouter as it has additional check:
Tools Used
Manual analysis
Recommended Mitigation Steps
In VaultImplementation's
_validateCommitment
function, Fix the logic in the following code:The text was updated successfully, but these errors were encountered: