Closed c4-bot-7 closed 5 months ago
yes this is how it is intended, only blocks 3rd party use. should not block self use
this can be dismissed and mark as invalid, as submitted failed to understand that this is as intended by design and users should be able to reserve for self regardless, but for others based on the list.
GalloDaSballo marked the issue as insufficient quality report
trust1995 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PositionNFTs.sol#L90-L109
Vulnerability details
Impact
The
blockReservePublic()
is used to block the public reserve, however it does not actually block this. Reserving can be done through 2 methods:reservePosition()
is used for individual reservationsreservePositionForUser()
is used for third party reservationAs seen above, the
reservePosition()
is not protected, neither is the variable checked to see ifreservePublicBlocked
has been set to true. This allows indivduals to continue reserving after is is blocked.Proof of Concept
Tools Used
Manual Review
Recommended Mitigation Steps
Revert all calls to
reservePosition()
whenreservePublicBlocked
is true, or implement theonlyReserveRole
which does the necessary checksAssessed type
Access Control