Malicious users can honeypot other users by withdrawing deposit tokens

[c4-bot-3]

Lines of code

https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseLending.sol#L460-L484

Vulnerability details

accroding to website https://wisesoft.gitbook.io/wise/wiselending.com/wise-lending, it says:

Each user mints an NFT for their account when they first interact. This allows for transferrable positions, as well as modular features to be built on top of the base protocol, such as an options market.

So position NFT can be used as a financial certificate and sold and purchased in the market.

If the NFT is put for sale and and it has some collateral available,anybody can submitt a transaction with price paid to buy it.But the seller can front-run before buyer,and he can withdraw all deposit token in NFT,and get all price paid.

Impact

Malicious users can honeypot other users

Proof of Concept

For example,If user A own Position NFT 1 with 1 ETH deposit:

1. User A owns Position NFT 1.
2. Position NFT 1 has 1 ETH deposit and they can be withdrawed.
3. User A lists Position NFT 1 for 3000 USDT.
4. User B buys Position NFT 1.
5. User A sees the transaction in the mempool and quickly front runs it in order to withdraw 1 ETH.
6. User A withdraw 1 ETH and get user B price paid 3000 USDT,and user B get Position NFT 1 with no deposit.

There is an example like it: https://www.codehawks.com/report/clql6lvyu0001mnje1xpqcuvl#H-04

Recommended Mitigation Steps

After position NFT is operated in wise lending, the timestamp of its operation need be recorded. Transfer need limit to be used after a duration after this timestamp.

Assessed type

MEV

[vm06007]

This is out of scope check here: https://github.com/code-423n4/2024-02-wise-lending-findings/issues/35

[c4-pre-sort]

GalloDaSballo marked the issue as insufficient quality report

[c4-judge]

trust1995 marked the issue as unsatisfactory: Invalid