code-423n4 / 2024-04-revert-mitigation-findings

1 stars 1 forks source link

H-02 MitigationConfirmed #77

Open c4-bot-8 opened 7 months ago

c4-bot-8 commented 7 months ago

Lines of code

Vulnerability details

C4 issue

H-02: Risk of re-entrancy onERC721Received function to manipulate collateral token configs shares

Comments

V3Vault.transform() will transfer a NFT position to the original NFT owner when it's cleaning up an old loan that is being transferred to a new loan. Because of this transfer, the NFT owner will receive the NFT and will be able to execute arbitrary code that can lead to a re-entrancy. This re-entrancy grants the NFT owner the ability to manipulate the state of the V3Vault contract. Once the re-entrancy transaction is complete, the parent transaction will continue to execute operations (i.e. V3Vault._updateAndCheckCollateral()). With a manipulated state through re-entrancy and V3Vault._updateAndCheckCollateral() being called, the state of the contract will become corrupted.

As specified in the primary issue, the problem arises because Revert does not apply a CEI pattern to V3Vault.transform(). Because there is no re-entrancy protection in the contract, the malicious user can call other functions in V3Vault, such as borrow(), and manipulate the token config total debt shares. This manipulation will lead to permanent corruption of the token's total debt shares, breaking the contract functionality.

Mitigation

PR #8, #32

The mitigation involves several fixes:

In summary, when a loan is cleaned up, the token is no longer transferred to the user. This core fix prevents a re-entrancy from occuring.

Anything Else We Should Know

Although this is not strictly an issue, Revert has duplicated the guard check in _repay(). This can be seen below:

https://github.com/revert-finance/lend/blob/audit/src/V3Vault.sol?plain=1#L1052-L1058

Finally, V3Vault.remove() does not delete the loan from the loans mapping. This can lead to orphaned loans existing in the state when a user fully repays a loan and then calls remove(). There is no known bug due to this behavior but can result in more expensive gas down the road as more orphaned loans persist.

Conclusion

LGTM

c4-judge commented 7 months ago

jhsagd76 marked the issue as satisfactory

c4-judge commented 7 months ago

jhsagd76 marked the issue as confirmed for report