H-03 MitigationConfirmed

[c4-bot-7]

Lines of code

Vulnerability details

C4 Issue

H-03: An attacker can hijack any ERC1155 token he rents due to a design issue in reNFT via reentrancy exploitation

Comments

Rental NFTs were transferred to the rental wallet before the zone validateOrder() was executed. That allowed a malicious user to bypass the Guard protection via an NFT callback + fallback handler, or via a malicious zone vall.

Mitigation

PR-14: Create intermediary transfers on rent

• All tokens must now be sent to the Create policiy first
• Tokens are then transferred to the corresponding recipient
  • Items are transferred to the correct addresses
• The use of a fallback handler is also prevented via PR-4.
• Tests were added to prevent malicious zones, as exploited on duplicate issue 87

By transferring the tokens to the Create policy first, no malicious actions like an approval can be made on the rental wallet before the NFTs are registered (as the tokens are still in the Create policy during validateOrder() execution).

Conclusions

Successful Mitigation

[c4-judge]

gzeon-c4 marked the issue as satisfactory