PositionNFT can be sold to another user while it has a borrow position

[c4-bot-8]

Lines of code

https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/PositionNFTs.sol#L11

Vulnerability details

As positions inside WiseLending are held as NFTs, a user could deposit collateral, mint the corresponding PositionNFT and then proceed to sell it on secondary markets (this happened in the past for Uniswap LPs NFT). While this in itself is not an issue for the protocol, there are no checks to ensure the position has no borrowed funds before being transferred. The seller could observe the transfer event for his PositionNFT, frontrun the transaction by borrowing funds, leading to profits by him having the price of the position (say 90% of the collateral cost) and the borrowed funds.

Impact

Malicious can leave open positions and get rid of their PositionNFT for profit, the seller of such a position having no incentive to pay back debt.

Proof of Concept

1. Create a PositionNFT, deposit collateral
2. Put the PositionNFT for sale, at a slight discount
3. Listen for the transfer event, frontrun by borrowing max for the collateral
4. The buyer is left with a PositionNFT that has borrowed funds

Tools Used

Manual review

Recommended Mitigation Steps

Override the _beforeTokenTransfer from OZ:ERC721 and prevent PositionNFTs with open borrow positions to be transferred

Assessed type

MEV

[vm06007]

Out of scope: read scope and understand better which kind of findings are welcomed here. This kind of finding is not a security concern from protocol perspective and there for can be dismissed. In fact this is expected behavior, NFT should be transferable either way.

This "finding" can be dismissed.

[c4-pre-sort]

GalloDaSballo marked the issue as insufficient quality report

[c4-judge]

trust1995 marked the issue as unsatisfactory: Invalid