If an NFT holder lists his NFT on the secondary marketplace he can frontrun the purchase transaction by calling redeemPosition on PositionManager.sol, thus stealing money from the NFT buyer.
Proof of Concept
Given the fact that the NFT holder can transfer his NFT freely and the fact that the NFT isn't burnt on calling redeemPosition, the following can happen:
Alice has a bucket with LP balance equivalent to 1ETH. She decides to mint an NFT by calling mint function and memorialize her position by calling memorializePositions so that the NFT would now represent her LP balance.
Alice lists the NFT for 0.8 ETH on the secondary marketplace
Bob sees that it is profitable for him and decides to buy the NFT
Alice frontruns Bob's transaction by calling redeemPosition
Bob's transaction gets through, he buys the NFT with 0 LP while Alice receives 0.8 ETH from Bob from the purchase and her LP back
Tools Used
Manual review
Recommended Mitigation Steps
Consider burning NFTs when redeemPositions is called.
Lines of code
https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-core/src/PositionManager.sol#L352
Vulnerability details
Impact
If an NFT holder lists his NFT on the secondary marketplace he can frontrun the purchase transaction by calling
redeemPosition
onPositionManager.sol
, thus stealing money from the NFT buyer.Proof of Concept
Given the fact that the NFT holder can transfer his NFT freely and the fact that the NFT isn't burnt on calling
redeemPosition
, the following can happen:mint
function and memorialize her position by callingmemorializePositions
so that the NFT would now represent her LP balance.redeemPosition
Tools Used
Manual review
Recommended Mitigation Steps
Consider burning NFTs when
redeemPositions
is called.Assessed type
ERC721