search

code-423n4 / 2021-11-nested-findings

1 stars 1 forks source link

setReserve() can be front-run #82

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

palina

Vulnerability details

Impact

The reserve address variable in NestedFactory.sol remains equal to 0 before the setReserve() function is called by an owner. This may lead to incorrect transfers of tokens or invalid comparison with e.g., the asset reserve (nestedRecords.getAssetReserve(_nftId) == address(reserve)), should they occur before the value for reserve was set. In addition, the immutabiliy of the reserve variable requires extra caution when setting the value.

Proof of Concept

setReserve(): https://github.com/code-423n4/2021-11-nested/blob/5d113967cdf7c9ee29802e1ecb176c656386fe9b/contracts/NestedFactory.sol#L89

Tools Used

Manual Analysis

Recommended Mitigation Steps

Consider initializing the value for the reserve variable in the constructor.

maximebrugel commented 2 years ago

The main issue is duplicated : #60

The following comment can be considered as a duplicate of #83 if the extra caution is checking the zero address.

In addition, the immutabiliy of the reserve variable requires extra caution when setting the value.

alcueca commented 2 years ago

The fact that the call to setReserve can be front-run is not being taken into account by the sponsor. I'm marking this one as not a duplicate.