Open c4-submissions opened 10 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #20
raymondfam marked the issue as duplicate of #63
MiloTruck changed the severity to 3 (High Risk)
MiloTruck marked the issue as satisfactory
MiloTruck changed the severity to QA (Quality Assurance)
MiloTruck marked the issue as grade-a
Lines of code
https://github.com/open-dollar/od-contracts/blob/f4f0246bb26277249c1d5afe6201d4d9096e52e6/src/contracts/proxies/ODSafeManager.sol#L136-L152
Vulnerability details
Impact
When a user opens a SAFE, a "Non-Fungible Vaults" (NFV) is minted to their account, which controls the ownership and transferability of the SAFE, where the tokenId is equal to the safeId and the transferrence of a NFV equates to the transferrence of the corresponding SAFE.
The NFV can be traded on secondry markets; once the user buys a NFV; its ownership will be transferred to him as well as the SAFE ownership.
Each SAFE has a collateral and debt (position); so the decision of a user to buy a NFV will mainly rely on the health of the SAFE position that represents it; so he would prefer to buy healthy SAFE.
But how could the buyer be tricked by the original SAFE owner? let's imagine the following scenario:
This will harm any buyer as there's no cool down period that prevents the original owner from selling the NFV after making any update on its state (generating debt or freeing collateral).
Proof of Concept
ODSafeManager.transferSAFEOwnership function
Tools Used
Manual Testing.
Recommended Mitigation Steps
Add a cool down period when the user generates a debt or quits the system (or any operation that decreases the SAFE health or frees its collateral), and this period to be checked if passed when the NFV is transferred to another user (bought by another user).
Assessed type
Context