Unauthorized Assignment of Reserved NFTs to Users

[c4-bot-6]

Lines of code

https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PowerFarms/PendlePowerFarm/PendlePowerManager.sol#L96-L140 https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PowerFarms/PendlePowerFarm/PendlePowerManager.sol#L193 https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/WiseLending.sol#L1386-L1397 https://github.com/code-423n4/2024-02-wise-lending/blob/79186b243d8553e66358c05497e5ccfd9488b5e2/contracts/PositionNFTs.sol#L111-L127

Vulnerability details

Impact

The unauthorized assignment of reserved NFTs to users by an attacker with the reserve role could lead to a DoS for legitimate users, as they would be unable to use the reserved NFTs for their own positions. Additionally, the presence of dust in the NFTs could lead to unexpected calculation errors in other parts of the system that interact with these NFTs, potentially affecting the overall functionality and security of the system.

The enterFarm function in the PendlePowerManager.sol contract calls _getWiseLendingNFT, which in turn calls _registrationFarm which in turn calls setRegistrationIsolationPool. This function checks if there is any collateral on the NFT by calling _validateZero(WISE_SECURITY.overallETHCollateralsBare(_nftId)). If there is any collateral, it reverts the transaction. Since the attacker has deposited dust into the NFTs, the enterFarm function will revert for any new user who tries to use these NFTs. This would prevent new users from participating in the farm.

Proof of Concept

The reservePositionForUser function in the PositionNFTs.sol contract is marked with the onlyReserveRole modifier, which means that only addresses with the reserve role can call this function. However, this does not prevent anyone from calling reservePositionForUser if they have the reserve role. This could potentially allow an attacker with the reserve role to assign a reserved NFT to any user, which could be exploited to manipulate the system.

Here is the relevant code snippet from the PositionNFTs.sol contract:

function reservePositionForUser(
    address _user
)
    onlyReserveRole
    external
    returns (uint256)
{
    return _reservePositionForUser(
        _user
    );
}

Attack Scenarios:

1. Bob a malicious user reserves NFTs for some users, deposit some dust and locks enterFarm for them

   • Bob could reserve NFTs for other users by exploiting the reservePositionForUser function.
   • Bob could then deposit a small amount of dust into these reserved NFTs and lock them in the enterFarm function. This would prevent legitimate users from using these NFTs for their own positions.

2. Bob deposits on future NFTs and locks enterFarm for any new user

   • Bob could also mint new NFTs and deposit dust into them, effectively locking them in the enterFarm function. This would prevent new users from using these NFTs for their own positions.

Tools Used

Manual Review

Recommended Mitigation Steps

To mitigate this issue, consider the following steps:

• Put strict restrictions to the reserve role: Only allow trusted addresses to have the reserve role. This would prevent an attacker from exploiting the reservePositionForUser function.
• Add checks in the enterFarm function to ensure that the NFTs being used are in a valid state and do not contain dust.

Assessed type

DoS

[c4-pre-sort]

GalloDaSballo marked the issue as insufficient quality report

[GalloDaSballo]

Unclear and self contraddicting

[vm06007]

Should be invalidated.

[c4-judge]

trust1995 marked the issue as unsatisfactory: Invalid