search

code-423n4 / 2024-04-revert-mitigation-findings

1 stars 1 forks source link

H-04 MitigationConfirmed #22

Open c4-bot-9 opened 4 months ago

c4-bot-9 commented 4 months ago

Lines of code

Vulnerability details

C4 Issue

H-04: V3Utils.execute() does not have caller validation, leading to stolen NFT positions...

Issue Details

The execute function of the V3Utils transformer contract, did not validate the ownership of the token being transformed, which allowed an attacker to front-run users that approved V3Utils for their NFT and exploit their position.

Mitigation

PR-29 successfully mitigates the original issue by introducing the following check, that has been applied to all current transformers:

  function _validateCaller(INonfungiblePositionManager nonfungiblePositionManager, uint256 tokenId) internal view {
        if (vaults[msg.sender]) {
            uint256 transformedTokenId = IVault(msg.sender).transformedTokenId();
            if (tokenId != transformedTokenId) {
                revert Unauthorized();
            }
        } else {
            address owner = nonfungiblePositionManager.ownerOf(tokenId);
            if (owner != msg.sender && owner != address(this)) {
                revert Unauthorized();
            }
        }
    }

It is not possible anymore for an account to call execute() on V3Utils for a token that is not owned by it.

I've conducted additional tests to verify the fix and confirm that the vulnerability has been mitigated

Conclusion

Mitigation Confirmed

c4-judge commented 4 months ago

jhsagd76 marked the issue as satisfactory