V3Vault.sol exposed a vulnerability where newly created positions without any debt, could be prematurely closed and removed from the vault by front-running their first borrow() call with a repay() call.
Since repay() transfers back the positions to their owners after full debt repayment, it was very easy for anyone to close any position immediately after it was created because debt is 0, which means no funds will be repaid and the position still gets transferred out of the vault
Mitigation
PR-8 successfully mitigates the original issue by introducing the following 2 changes:
implementing the pull over push pattern, where NFT transfers do not happen automatically, but through a separate function called remove() that should be called by the owners explicitly
a check has been added inside repay() that prevents 0 shares repayments
Lines of code
Vulnerability details
C4 Issue
M-15: Users' newly created positions can be prematurely closed and removed from the vault...
Issue Details
V3Vault.sol
exposed a vulnerability where newly created positions without any debt, could be prematurely closed and removed from the vault by front-running their firstborrow()
call with arepay()
call.Since
repay()
transfers back the positions to their owners after full debt repayment, it was very easy for anyone to close any position immediately after it was created because debt is 0, which means no funds will be repaid and the position still gets transferred out of the vaultMitigation
PR-8 successfully mitigates the original issue by introducing the following 2 changes:
pull over push
pattern, where NFT transfers do not happen automatically, but through a separate function calledremove()
that should be called by the owners explicitlyrepay()
that prevents 0 shares repaymentsConclusion
Mitigation Confirmed