The original vulnerability involved an incorrect ordering for the deletion of rental orders, which would have allowed malicious actors to flash steal rented NFTs. The root cause was that the deletion of a rental order from storage occurred before all necessary validations and checks were completed, specifically in the stopRent() function.
Mitigation
The mitigation approach involved modifying the stopRent() function to ensure that it directly reverts if an order does not exist. This change ensures that the function will exit early if the specified rental order is not found in storage, thereby preventing any further actions, such as the transfer of NFTs, from occurring if the order is invalid or does not exist.
Suggestion
-
Conclusion
The mitigation effectively addresses the original vulnerability.
Lines of code
Vulnerability details
Vulnerability
The original vulnerability involved an incorrect ordering for the deletion of rental orders, which would have allowed malicious actors to flash steal rented NFTs. The root cause was that the deletion of a rental order from storage occurred before all necessary validations and checks were completed, specifically in the
stopRent()
function.Mitigation
The mitigation approach involved modifying the
stopRent()
function to ensure that it directly reverts if an order does not exist. This change ensures that the function will exit early if the specified rental order is not found in storage, thereby preventing any further actions, such as the transfer of NFTs, from occurring if the order is invalid or does not exist.Suggestion
-
Conclusion
The mitigation effectively addresses the original vulnerability.