PositionManager.sol contract: tokenURI function: anyone can create a position for any NFT.
Vulnerability Details
NFT owner should only access this function otherwise this will allow anyone to create a position for any NFT.
Impact
The NFT owner should be the only one who can access this function; otherwise this will allow anyone to create a position for any NFT, and this will result in creating/overwriting the position by anyone who isn't the owner of the NFT.
Proof of Concept
Instances: 1
File: 2023-05-ajna/ajna-core/src/PositionManager.sol
Line 517: function tokenURI
Tools Used
Manual Testing.
Recommended Mitigation Steps
Add access modifier to allow only the NFT owner to call this function.
Lines of code
https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-core/src/PositionManager.sol#L517
Vulnerability details
[H-02]
PositionManager.sol contract: tokenURI function: anyone can create a position for any NFT.
Vulnerability Details
NFT owner should only access this function otherwise this will allow anyone to create a position for any NFT.
Impact
The NFT owner should be the only one who can access this function; otherwise this will allow anyone to create a position for any NFT, and this will result in creating/overwriting the position by anyone who isn't the owner of the NFT.
Proof of Concept
Instances: 1
Tools Used
Manual Testing.
Recommended Mitigation Steps
Add access modifier to allow only the NFT owner to call this function.
Assessed type
Access Control