Closed c4-bot-8 closed 3 months ago
This is invalid submission.
Users should ALWAYS be able to reserve NFTs as long as they reserve for themselves, this is desired functionality. The author of this "finding" does not understand that reservePublicBlocked
is only applied on ability to reserve NFTs for other users (hence when someone else reserves NFTs for other arbitrary address) but as long as user performs reservation for their own account this is fine. Team specifically need to separate from ability to reserve for self and other users. If the suggested code change is applied that author of this "finding" suggests, then it is not possible to differentiate and both functions are blocked at the same time.
This modifier should only be applied for one function as a way to control who can use reservePositionForUser
Normal reservations reservePosition
should always be possible. "Finding" dismissed.
GalloDaSballo marked the issue as insufficient quality report
trust1995 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PositionNFTs.sol#L90-L97 https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PositionNFTs.sol#L99-L109
Vulnerability details
Bug Description
In order to understand this bug, we need to have overall context of positionNFT contract. Here we go:
These two states are crucial to understand this bug.
reserveRole
stores addresses of users who have the authority to reserve nfts even after public reserving is blocked. While asreservePublicBlocked
tracks whether public reserving is blocked or not.Apart from these two states,
onlyReserveRole()
modifier checks if the public reserves are blocked, when they are it further validates whether the caller is assigned reserving responsibilitiesreservePositionForUser()
implements this modifier and functions as expected without introducing any bugs.But unfortunately there is another function that allows anyone to reserve nfts regardless of reserveRole
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PositionNFTs.sol#L90-L97
The user can then mint the reserved nft using either
approveMint(address,uint256)
,mintPositionForUser(address)
or even withmintPosition()
Impact
The PositionNfts Contract is supposed to allow non reserveRoles to reserve nfts only when
reservePublicBlocked
is false, but due to the lack of proper access controls, anyone can reserve nfts even afterreservePublicBlocked
is set to true.For the further impact, user can then mint the reserved nft and withdraw it for ETH in Wiselending contract
Proof of Concept
Please note that, due to depreciation of _exists function in openzeppelin contracts, PositionNFT.sol causes compilation issues, so in order to run this POC comment, these lines out:
Tools Used
Manual Analysis, Foundry
Recommended Mitigation Steps
Implement
onlyReserveRole()
modifier onreservePosition()
functionAssessed type
Access Control