New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A public vault owner can lock and steal arbitrary collateralId by issuing a poisonous lien #466
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-19
satisfactory
satisfies C4 submission criteria; eligible for awards
Comments
code423n4
added
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
labels
Jan 19, 2023
Picodes marked the issue as duplicate of #565 |
Picodes marked the issue as satisfactory |
c4-judge
added
satisfactory
satisfies C4 submission criteria; eligible for awards
duplicate-19
downgraded by judge
Judge downgraded the risk level of this issue
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
and removed
duplicate-565
3 (High Risk)
Assets can be stolen/lost/compromised directly
labels
Feb 15, 2023
Picodes changed the severity to QA (Quality Assurance) |
c4-judge
added
3 (High Risk)
Assets can be stolen/lost/compromised directly
and removed
downgraded by judge
Judge downgraded the risk level of this issue
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
labels
Feb 15, 2023
This previously downgraded issue has been upgraded by Picodes |
Picodes marked the issue as not a duplicate |
Picodes marked the issue as duplicate of #19 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-19
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/VaultImplementation.sol#L238-L241
Vulnerability details
Impact
Since any vault can issue a lien to any
collateralId
(using the casereceiver == holder
), a malicious vault owner can lock any collateralId not having liens by issuing a malicious lien.Here is the detailed scenario:
An innocent user A deposits their NFT in the
CollateralToken
contract, mints a token with idcollateralId
.If user A did not commit to any lien yet, malicious user B creates a public vault, and issues a lien to A for collateralId, denominated in a ERC20 token controlled by B.
B locks the transfer function on their ERC20 token, until auction, during which B is the only one to be able to transfer the ERC20, and thus obtaining the right to claim the collateral.
Proof of Concept
Tools Used
Manual review
Recommended Mitigation Steps
The condition for validity should be (always checking msg.sender):
The text was updated successfully, but these errors were encountered: