Closed code423n4 closed 1 year ago
I'm really sorry this issue is wrong. I thought I had found something interesting at the last minute, but I didn't have enough time to write a proper PoC, and my report contains grammar errors, this is unprofessional. I know that comments should be withheld until post-judging, but I do it to save time for the judge.
0xSorryNotSorry marked the issue as low quality report
0xSorryNotSorry marked the issue as duplicate of #685
GalloDaSballo marked the issue as unsatisfactory: Invalid
GalloDaSballo changed the severity to QA (Quality Assurance)
GalloDaSballo marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/PrivatePool.sol#L623
Vulnerability details
Impact
FlashLoan lacks a reentrancy guard, allowing a hacker to borrow the entire amount of NFTs from the pool, sell them back to the pool, and manipulate the NFT balances with fake values. Subsequently, the hacker can purchase the NFTs at a discounted rate to return them. The hacker can buy more NFTs than what the pool really has, effectively purchasing each NFT twice(returning it by selling it to the pool again). This can be done because variables of the pool are updated before the safeTransfer call in which the malicious user can re-enter the contract and sell the NFT with the reserves variables updated to big values (because of the big purchase). The last nft's purchased will not be sold and will be returned to the contract to concrete the flash loan.
Proof of Concept
Tools Used
Recommended Mitigation Steps
use a re-entrancy guard in flash loan