Any account that has a position inside V3Vault.sol can use the transform() function to manage the NFT through a set of approved transformer contracts, while it is owned by vault. The transform() function accepts the encoded calldata that is passed to the transformer contract for execution.
Problem was that transform() did not validate if the encoded tokenId inside the calldata was owned by the caller, which allowed malicious users to exploit the positions of other users
Mitigation
PR-29 successfully mitigates the original issue by introducing the following check, that has been applied to all current transformers:
Lines of code
Vulnerability details
C4 Issue
H-03: V3Vault::transform does not validate the data input...
Issue Details
Any account that has a position inside
V3Vault.sol
can use thetransform()
function to manage the NFT through a set of approvedtransformer
contracts, while it is owned by vault. Thetransform()
function accepts the encoded calldata that is passed to the transformer contract for execution.Problem was that
transform()
did not validate if the encodedtokenId
inside the calldata was owned by the caller, which allowed malicious users to exploit the positions of other usersMitigation
PR-29 successfully mitigates the original issue by introducing the following check, that has been applied to all current transformers:
It not possible anymore for a vault to transform a token different from the one set as being transformed
I've conducted additional tests to verify the fix and confirm that the vulnerability has been mitigated
Conclusion
Mitigation Confirmed