User LP Position could be forever locked in V3Vault, if the user mistakingly set the call data in create() to the zero address. It is possible to misunderstand the create() function and set the recipient to the x0 address, which will set the owner of this Position as the zero address in the vault, potentially locking the position in vault forever.
Proof of Concept
This issue is possible because, the onERC721Received() function in the V3Vault contract, doesn't check if the recipient is the zero address, and if it is, it sets the owner of the position in vault as the zero address.
To run the test please add the following test to test/integration/V3Vault.t.sol :
function testCreatePositionToZeroAddress() external {
vm.prank(TEST_NFT_ACCOUNT);
NPM.approve(address(vault), TEST_NFT);
vm.prank(TEST_NFT_ACCOUNT);
vault.create(TEST_NFT,address(0));
assertTrue(vault.ownerOf(TEST_NFT)== address(0));
assertTrue(NPM.ownerOf(TEST_NFT)==address(vault));
console.log("NFT Lost Forever");
console.log("Owner of NFT in NPM: ",NPM.ownerOf(TEST_NFT));
console.log("Owner of NFT in Vault: ",vault.ownerOf(TEST_NFT));
}
The result of the test being executed:
Ran 1 test for test/integration/V3Vault.t.sol:V3VaultIntegrationTest
[PASS] testCreatePositionToZeroAddress() (gas: 186268)
Logs:
NFT Lost Forever
Owner of NFT in NPM: 0xF62849F9A0B5Bf2913b396098F7c7019b51A820a
Owner of NFT in Vault: 0x0000000000000000000000000000000000000000
Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 530.37ms (929.12µs CPU time)
Ran 1 test suite in 574.87ms (530.37ms CPU time): 1 tests passed, 0 failed, 0 skipped (1 total tests)
Tools Used
Foundry, manual review
Recommended Mitigation Steps
To mitigate this issue, it is recomended to add a check in the onERC721Received() and to set the owner of the cdp to msg.sender (from in onERC721Received()) if the recipient is the zero address.
A possible solution, would be something like this:
Lines of code
https://github.com/code-423n4/2024-03-revert-lend/blob/main/src/V3Vault.sol#L443-L445
Vulnerability details
Impact
User LP Position could be forever locked in V3Vault, if the user mistakingly set the call data in
create()
to the zero address. It is possible to misunderstand thecreate()
function and set the recipient to thex0
address, which will set the owner of this Position as the zero address in the vault, potentially locking the position in vault forever.Proof of Concept
This issue is possible because, the
onERC721Received()
function in the V3Vault contract, doesn't check if the recipient is the zero address, and if it is, it sets the owner of the position in vault as the zero address.To run the test please add the following test to
test/integration/V3Vault.t.sol
:The result of the test being executed:
Tools Used
Foundry, manual review
Recommended Mitigation Steps
To mitigate this issue, it is recomended to add a check in the
onERC721Received()
and to set the owner of the cdp tomsg.sender
(from
inonERC721Received()
) if the recipient is the zero address. A possible solution, would be something like this:Assessed type
Invalid Validation