H-03 MitigationConfirmed

[c4-bot-3]

Lines of code

Vulnerability details

C4 Issue

H-03: V3Vault::transform does not validate the data input...

Issue Details

Any account that has a position inside V3Vault.sol can use the transform() function to manage the NFT through a set of approved transformer contracts, while it is owned by vault. The transform() function accepts the encoded calldata that is passed to the transformer contract for execution.

Problem was that transform() did not validate if the encoded tokenId inside the calldata was owned by the caller, which allowed malicious users to exploit the positions of other users

Mitigation

PR-29 successfully mitigates the original issue by introducing the following check, that has been applied to all current transformers:

  function _validateCaller(INonfungiblePositionManager nonfungiblePositionManager, uint256 tokenId) internal view {
        if (vaults[msg.sender]) {
            uint256 transformedTokenId = IVault(msg.sender).transformedTokenId();
            if (tokenId != transformedTokenId) {
                revert Unauthorized();
            }
        } else {
            address owner = nonfungiblePositionManager.ownerOf(tokenId);
            if (owner != msg.sender && owner != address(this)) {
                revert Unauthorized();
            }
        }
    }

It not possible anymore for a vault to transform a token different from the one set as being transformed

I've conducted additional tests to verify the fix and confirm that the vulnerability has been mitigated

Conclusion

Mitigation Confirmed

[c4-judge]

jhsagd76 marked the issue as satisfactory