code-423n4 / 2022-06-nibbl-findings

1 stars 0 forks source link

Malicious NFT #291

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/NibblNFT/nibbl-smartcontracts/blob/master/contracts/NibblVaultFactory.sol#L38-L56

Vulnerability details

Impact

Anybody can create a vault which fractionalizes their NFT. However, this process should go through a whitelist and review process because a maliciously implemented NFT contracts can reclaim ownership of the contract despite it technically being 'owned' by the vault.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

Say for example, I fractionalize my NFT, create the vault and the platform thinks it retains ownership of the asset through this line of code.

https://github.com/NibblNFT/nibbl-smartcontracts/blob/master/contracts/NibblVaultFactory.sol#L53

That's not necessarily the case, because the ownerOf implementation of the NFT contract, could perhaps, always return an attacker address, perhaps after 2 days. It is not always guaranteed these NFTs are implemented following the exact OpenZepellin standard, despite adhering to the ERC721/1155 interface. These methods are not too be trusted unless using whitelisted & reviewed NFT contracts.

In addition, mint methods in the NFT contract could create an unbounded supply & any conceivable malicious intent in their implementations.

Tools Used

Manual review.

Recommended Mitigation Steps

Review the contracts of NFTs that wish to be fractionalized, especially their ownerOf, safeTransferFrom, transferFrom & mint methods so ensure no malicious intent.

GalloDaSballo commented 2 years ago

Finding doesn't show any code / POC but is going for a High Severity

HardlyDifficult commented 2 years ago

A malicious NFT that violates the standard in this way should have no value. The issue described here would also apply to any NFT marketplace or other sale mechanism. Valuing an NFT requires more than just viewing the associated metadata - it is the buyer's responsibility to do some due diligence. This is a concern with NFTs in general and not specific to the Nibbl protocol. Closing as invalid.