Closed code423n4 closed 1 year ago
This is essentially the same "vulnerability" as #454 and #459 by the same warden. Please do not spam and focus on higher quality impact descriptions and on doing 1 issue per report.
Picodes marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-05-ajna/blob/d80daab705a066828ef1c5d9ba85f315c7c932db/ajna-core/src/PositionManager.sol#L227-L241
Vulnerability details
Impact
The current implementation of the mint function allows a lender to mint multiple position NFTs for the same Ajna pool deposit. This could lead to an inflation of NFTs and potentially disrupt the system's reward distribution, as the lender could stake these multiple NFTs and claim more rewards than they should. This could also result in an unfair advantage for such lenders over others who abide by the intended one NFT per lender per pool per total LP rule.
Proof of Concept
The mint function currently does not check whether an NFT has already been minted for the same Ajna pool deposit by the same lender. This allows the same lender to mint multiple NFTs for the same pool deposit.
Here's an example of how a rogue lender could exploit this: // First NFT mint({pool: myPool, poolSubsetHash: someHash, recipient: myAddress}); // Second NFT for the same pool deposit mint({pool: myPool, poolSubsetHash: someHash, recipient: myAddress});
The lender can repeat this process and mint an arbitrary number of NFTs for the same pool deposit, which is not the intended behavior.
Tools Used
VSC.
Recommended Mitigation Steps
To prevent a lender from minting multiple NFTs for the same Ajna pool deposit, it is recommended to introduce a mapping that keeps track of whether a position NFT has already been minted for a specific lender and pool deposit. In the mint function, check this mapping before minting a new NFT, and revert the transaction if an NFT for the same pool deposit has already been minted by the same lender.
Here's a simple example of how such a check could be implemented:
// Mapping to track whether a position NFT has already been minted // for a specific lender and pool deposit mapping(address => mapping(address => bool)) private _minted;
function mint(MintParams calldata params) external override nonReentrant returns (uint256 tokenId) { // Check if a position NFT has already been minted for this lender and pool deposit require(!minted[msg.sender][params.pool], "Position NFT already minted for this pool deposit");
}
This way, a lender can only mint one position NFT per Ajna pool deposit, as intended, preventing the minting of multiple NFTs for the same deposit.
Assessed type
Other