Invalid Rental Order Data

[c4-bot-7]

Lines of code

https://github.com/re-nft/smart-contracts/blob/3ddd32455a849c3c6dc3c3aad7a33a6c9b44c291/src/policies/Stop.sol#L265

Vulnerability details

The contract does not perform comprehensive validation on the rental order data provided, which could be exploited by passing malformed data to disrupt the stopping process.

function stopRent(RentalOrder calldata order) external {
    // Check that the rental can be stopped.
    _validateRentalCanBeStoped(order.orderType, order.endTimestamp, order.lender);
    // ... rest of the function ...
}

Mitigation

Implement thorough validation checks on the rental order data before proceeding with the stop process. This could include verifying the integrity of the rental order against its hash stored in the contract.

function stopRent(RentalOrder calldata order) external {
    // Verify the integrity of the rental order against its stored hash
    bytes32 storedOrderHash = STORE.getRentalOrderHash(order.rentalWallet);
    bytes32 providedOrderHash = _deriveRentalOrderHash(order);
    require(storedOrderHash == providedOrderHash, "Invalid rental order data");

    // Check that the rental can be stopped.
    _validateRentalCanBeStoped(order.orderType, order.endTimestamp, order.lender);
    // ... rest of the function ...
}

Impact

Malformed or invalid rental order data can lead to incorrect execution of the stopRent function, potentially causing financial loss or disruption of service. By validating the rental order data against a known hash, the contract ensures that only legitimate and unaltered rental orders are processed. This validation step is crucial for maintaining the integrity of the stopping process and preventing exploitation.

Assessed type

Invalid Validation

[c4-pre-sort]

141345 marked the issue as insufficient quality report

[c4-judge]

0xean marked the issue as unsatisfactory: Insufficient quality