The unauthorized assignment of reserved NFTs to users by an attacker with the reserve role could lead to a DoS for legitimate users, as they would be unable to use the reserved NFTs for their own positions. Additionally, the presence of dust in the NFTs could lead to unexpected calculation errors in other parts of the system that interact with these NFTs, potentially affecting the overall functionality and security of the system.
The enterFarm function in the PendlePowerManager.sol contract calls _getWiseLendingNFT, which in turn calls _registrationFarm which in turn calls setRegistrationIsolationPool. This function checks if there is any collateral on the NFT by calling _validateZero(WISE_SECURITY.overallETHCollateralsBare(_nftId)). If there is any collateral, it reverts the transaction. Since the attacker has deposited dust into the NFTs, the enterFarm function will revert for any new user who tries to use these NFTs. This would prevent new users from participating in the farm.
Proof of Concept
The reservePositionForUser function in the PositionNFTs.sol contract is marked with the onlyReserveRole modifier, which means that only addresses with the reserve role can call this function. However, this does not prevent anyone from calling reservePositionForUser if they have the reserve role. This could potentially allow an attacker with the reserve role to assign a reserved NFT to any user, which could be exploited to manipulate the system.
Here is the relevant code snippet from the PositionNFTs.sol contract:
Bob a malicious user reserves NFTs for some users, deposit some dust and locks enterFarm for them
Bob could reserve NFTs for other users by exploiting the reservePositionForUser function.
Bob could then deposit a small amount of dust into these reserved NFTs and lock them in the enterFarm function. This would prevent legitimate users from using these NFTs for their own positions.
Bob deposits on future NFTs and locks enterFarm for any new user
Bob could also mint new NFTs and deposit dust into them, effectively locking them in the enterFarm function. This would prevent new users from using these NFTs for their own positions.
Tools Used
Manual Review
Recommended Mitigation Steps
To mitigate this issue, consider the following steps:
Put strict restrictions to the reserve role: Only allow trusted addresses to have the reserve role. This would prevent an attacker from exploiting the reservePositionForUser function.
Add checks in the enterFarm function to ensure that the NFTs being used are in a valid state and do not contain dust.
Lines of code
https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PowerFarms/PendlePowerFarm/PendlePowerManager.sol#L96-L140 https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PowerFarms/PendlePowerFarm/PendlePowerManager.sol#L193 https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseLending.sol#L1386-L1397 https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PositionNFTs.sol#L111-L127
Vulnerability details
Impact
The unauthorized assignment of reserved NFTs to users by an attacker with the reserve role could lead to a DoS for legitimate users, as they would be unable to use the reserved NFTs for their own positions. Additionally, the presence of dust in the NFTs could lead to unexpected calculation errors in other parts of the system that interact with these NFTs, potentially affecting the overall functionality and security of the system.
The enterFarm function in the
PendlePowerManager.sol
contract calls _getWiseLendingNFT, which in turn calls_registrationFarm
which in turn calls setRegistrationIsolationPool. This function checks if there is any collateral on the NFT by calling_validateZero(WISE_SECURITY.overallETHCollateralsBare(_nftId))
. If there is any collateral, it reverts the transaction. Since the attacker has deposited dust into the NFTs, theenterFarm
function will revert for any new user who tries to use these NFTs. This would prevent new users from participating in the farm.Proof of Concept
The reservePositionForUser function in the
PositionNFTs.sol
contract is marked with theonlyReserveRole
modifier, which means that only addresses with the reserve role can call this function. However, this does not prevent anyone from callingreservePositionForUser
if they have the reserve role. This could potentially allow an attacker with the reserve role to assign a reserved NFT to any user, which could be exploited to manipulate the system.Here is the relevant code snippet from the
PositionNFTs.sol
contract:Attack Scenarios:
Bob a malicious user reserves NFTs for some users, deposit some dust and locks
enterFarm
for themreservePositionForUser
function.enterFarm
function. This would prevent legitimate users from using these NFTs for their own positions.Bob deposits on future NFTs and locks
enterFarm
for any new userenterFarm
function. This would prevent new users from using these NFTs for their own positions.Tools Used
Manual Review
Recommended Mitigation Steps
To mitigate this issue, consider the following steps:
reservePositionForUser
function.enterFarm
function to ensure that the NFTs being used are in a valid state and do not contain dust.Assessed type
DoS