Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-04-abranft/blob/5cd4edc3298c05748e952f8a8c93e42f930a78c2/contracts/NFTPair.sol#L247-L268 https://github.com/code-423n4/2022-04-abranft/blob/5cd4edc3298c05748e952f8a8c93e42f930a78c2/contracts/NFTPairWithOracle.sol#L267-L297
Issue: removeCollateral function does not perform any address checks if the loan status = LOAN_INITIAL.
removeCollateral
Consequences: If anyone sends an NFT to the contract by itself, for whatever reason, an attacker can snatch it with removeCollateral.
requestLoan
removeCollateral should add a check for LOAN_INITIAL condition. Example:-> if(tokenLoan[tokenId].status == LOAN_INITIAL) require(tokenLoan[tokenId].borrower != address(0), "").
LOAN_INITIAL
if(tokenLoan[tokenId].status == LOAN_INITIAL) require(tokenLoan[tokenId].borrower != address(0), "")
Duplicate of #22
closing as invalid, see #22
Lines of code
https://github.com/code-423n4/2022-04-abranft/blob/5cd4edc3298c05748e952f8a8c93e42f930a78c2/contracts/NFTPair.sol#L247-L268 https://github.com/code-423n4/2022-04-abranft/blob/5cd4edc3298c05748e952f8a8c93e42f930a78c2/contracts/NFTPairWithOracle.sol#L267-L297
Vulnerability details
Issue:
removeCollateral
function does not perform any address checks if the loan status = LOAN_INITIAL.Consequences: If anyone sends an NFT to the contract by itself, for whatever reason, an attacker can snatch it with
removeCollateral
.Proof of Concept
requestLoan
Mitigations
removeCollateral
should add a check forLOAN_INITIAL
condition. Example:->if(tokenLoan[tokenId].status == LOAN_INITIAL) require(tokenLoan[tokenId].borrower != address(0), "")
.