The original vulnerability involved the potential for stopRent() to revert due to paused ERC721 or ERC1155 tokens.
Mitigation
A token whitelist for rentals and payments has been introduced. As per the mitigation documentation, no pausable ERC721 or ERC1155 tokens will be whitelisted. This approach ensures that only non-pausable tokens are considered for rental transactions, effectively addressing the original issue by avoiding the problematic scenario altogether.
Suggestion
While the whitelist approach is effective, it requires ongoing monitoring to ensure that all tokens on the list remain safe to interact with. Some tokens may be deployed behind a proxy and could be upgraded with additional problematic functionality.
It is also worth noting that 2 out of the 3 assets intended to be whitelisted as payment tokens, USDC and USDT, are pausable. While this may not be considered a Medium severity vulnerability according to Code4rena guidelines, it will also have the effect of preventing rentals from being stopped if they are used as payment tokens.
Conclusion
The introduction of a token whitelist effectively mitigates the original vulnerability as long as no pausable tokens are whitelisted.
Lines of code
Vulnerability details
Vulnerability
The original vulnerability involved the potential for
stopRent()
to revert due to pausedERC721
orERC1155
tokens.Mitigation
A token whitelist for rentals and payments has been introduced. As per the mitigation documentation, no pausable
ERC721
orERC1155
tokens will be whitelisted. This approach ensures that only non-pausable tokens are considered for rental transactions, effectively addressing the original issue by avoiding the problematic scenario altogether.Suggestion
While the whitelist approach is effective, it requires ongoing monitoring to ensure that all tokens on the list remain safe to interact with. Some tokens may be deployed behind a proxy and could be upgraded with additional problematic functionality.
It is also worth noting that 2 out of the 3 assets intended to be whitelisted as payment tokens, USDC and USDT, are pausable. While this may not be considered a Medium severity vulnerability according to Code4rena guidelines, it will also have the effect of preventing rentals from being stopped if they are used as payment tokens.
Conclusion
The introduction of a token whitelist effectively mitigates the original vulnerability as long as no pausable tokens are whitelisted.