``blockReservePublic()`` does not block public reservation, only third-party

[c4-bot-7]

Lines of code

https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PositionNFTs.sol#L90-L109

Vulnerability details

Impact

The blockReservePublic() is used to block the public reserve, however it does not actually block this. Reserving can be done through 2 methods:

• The reservePosition() is used for individual reservations
• The reservePositionForUser() is used for third party reservation

 function reservePosition()
        external
        returns (uint256)
    {
        return _reservePositionForUser(
            msg.sender
        );
    }

    function reservePositionForUser(
        address _user
    )
        onlyReserveRole
        external
        returns (uint256)
    {
        return _reservePositionForUser(
            _user
        );
    }

As seen above, the reservePosition() is not protected, neither is the variable checked to see if reservePublicBlocked has been set to true. This allows indivduals to continue reserving after is is blocked.

Proof of Concept

 function reservePosition()
        external
        returns (uint256)
    {
        return _reservePositionForUser(
            msg.sender
        );
    }

Tools Used

Manual Review

Recommended Mitigation Steps

Revert all calls to reservePosition() when reservePublicBlocked is true, or implement the onlyReserveRole which does the necessary checks

Assessed type

Access Control

[vm06007]

yes this is how it is intended, only blocks 3rd party use. should not block self use

[vm06007]

this can be dismissed and mark as invalid, as submitted failed to understand that this is as intended by design and users should be able to reserve for self regardless, but for others based on the list.

[c4-pre-sort]

GalloDaSballo marked the issue as insufficient quality report

[c4-judge]

trust1995 marked the issue as unsatisfactory: Invalid