Malicious borrower might use blacklisted wallet to borrow assets from a lender to prevent the rent being stopped.

[c4-bot-3]

Lines of code

https://github.com/re-nft/smart-contracts/blob/3ddd32455a849c3c6dc3c3aad7a33a6c9b44c291/src/modules/PaymentEscrow.sol#L132-L146

Vulnerability details

Impact

In PAY/PAYEE order, borrowed NFTs will be stuck in the borrower's Safe Wallet, preventing the lender from stopping the rent. As a result, the borrower can use the NFT forever.

Proof of Concept

There are ERC20 tokens like USDC that has blacklisting functionality. By abusing this feature, a malicious behavior will generate PAY/PAYEE order to borrow NFTs into his Safe Wallet.

When the rent expires, the lender tries to stop the rent, thus settling payment to borrower's wallet. However the borrower's wallet is blacklisted, so the transation will revert and the lender will not be able to retrieve his NFTs back.

Tools Used

Manual Review

Recommended Mitigation Steps

There should be a logic that handles reverts from transfering ERC20 tokens. One of mitigation would be: If ERC20 transfer fails, it increases the unclamed value for the address so that it can be re-claimed later.

Assessed type

DoS

[c4-pre-sort]

141345 marked the issue as duplicate of #64

[c4-judge]

0xean marked the issue as satisfactory