search

code-423n4 / 2023-05-ajna-findings

2 stars 0 forks source link

PositionManager.sol contract: tokenURI function: anyone can create a position for any NFT. #371

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-core/src/PositionManager.sol#L517

Vulnerability details

[H-02]

PositionManager.sol contract: tokenURI function: anyone can create a position for any NFT.

Vulnerability Details

NFT owner should only access this function otherwise this will allow anyone to create a position for any NFT.

Impact

The NFT owner should be the only one who can access this function; otherwise this will allow anyone to create a position for any NFT, and this will result in creating/overwriting the position by anyone who isn't the owner of the NFT.

Proof of Concept

Instances: 1

File: 2023-05-ajna/ajna-core/src/PositionManager.sol
Line 517: function tokenURI

Tools Used

Manual Testing.

Recommended Mitigation Steps

Add access modifier to allow only the NFT owner to call this function.

Assessed type

Access Control

c4-judge commented 1 year ago

Picodes marked the issue as unsatisfactory: Invalid