Closed c4-bot-10 closed 1 month ago
I believe this issue should be transferred to the validation repo and judged as med for the following reasoning:
This issue was confirmed by the sponsor in the following QA report: https://github.com/code-423n4/2024-08-superposition-findings/issues/168 (L-01)
The issue demonstrates how NFT manager can be front-runned and lose gas fees as a result of a tx revert. So I suggest to upgrade it to medium severity
Lines of code
https://github.com/code-423n4/2024-08-superposition/blob/main/pkg/seawater/src/lib.rs#L554
Vulnerability details
Impact
In the current implementation of the
transfer_position_E_E_C7_A3_C_D()
function, only nft manager is able to transfer user's position. But the problem is that the user can simply front-run any such transaction (transfer of position) by burning his nft.Proof of Concept
Let's take a look at the
transfer_position_E_E_C7_A3_C_D()
:https://github.com/code-423n4/2024-08-superposition/blob/main/pkg/seawater/src/lib.rs#L554-569
So the function just removes position from the
from
address and grants position to theto
address. However, any such transaction can be front-runned by just callingburn()
:https://github.com/code-423n4/2024-08-superposition/blob/main/pkg/seawater/src/lib.rs#L529-543
So there is no any protection against front-running and there is no check if the position actually exists and is not already burnt.
Tools Used
Manual review.
Recommended Mitigation Steps
This issue can be mitigated by allowing only the owner to transfer the positions or disallow this functionality at all.
Assessed type
Other