search

code-423n4 / 2023-05-ajna-findings

2 stars 0 forks source link

LPB NFT holder can frontrun the selling of the NFT by redeeming his position #340

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-core/src/PositionManager.sol#L352

Vulnerability details

Impact

If an NFT holder lists his NFT on the secondary marketplace he can frontrun the purchase transaction by calling redeemPosition on PositionManager.sol, thus stealing money from the NFT buyer.

Proof of Concept

Given the fact that the NFT holder can transfer his NFT freely and the fact that the NFT isn't burnt on calling redeemPosition, the following can happen:

  1. Alice has a bucket with LP balance equivalent to 1ETH. She decides to mint an NFT by calling mint function and memorialize her position by calling memorializePositions so that the NFT would now represent her LP balance.
  2. Alice lists the NFT for 0.8 ETH on the secondary marketplace
  3. Bob sees that it is profitable for him and decides to buy the NFT
  4. Alice frontruns Bob's transaction by calling redeemPosition
  5. Bob's transaction gets through, he buys the NFT with 0 LP while Alice receives 0.8 ETH from Bob from the purchase and her LP back

Tools Used

Manual review

Recommended Mitigation Steps

Consider burning NFTs when redeemPositions is called.

Assessed type

ERC721

c4-judge commented 1 year ago

Picodes changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

Picodes marked the issue as grade-c