hats-finance / Convergence---Convex-integration-0xb3df23e155b74ad2b93777f58980d6727e8b40bb

0 stars 1 forks source link

`CvxStakingPositionManager.sol#setBaseURI` poses a significant threat to users for a rugpull and fake nft #52

Open hats-bug-reporter[bot] opened 6 months ago

hats-bug-reporter[bot] commented 6 months ago

Github username: @0xumarkhatab Twitter username: 0xumarkhatab Submission hash (on-chain): 0x9e7d3e6658f64e6bac35f885204a474a01ef1278ef7397708688d284b003bbe1 Severity: medium

Description: Description\ Having a sinle step owner only methods are always dangerous. But when it comes to NFTS, it is majorly about the art that the nft pwns/. However , what if the underlying art has been changed suddenly by the token owner . If the art is changed to something really ridiculous image , then the nfts will be worthless. This is the constant fear that the stakingpPositionManger NFT holders will have. It arises from the fact that the setBaseURI function which is highly dangerous to completely change the underlying art folder of the NFT project is totally owner controlled.

Although the likelihood is low but the impact is really high because if it happens, then the users of the NFTs will lose their value if the market values the attached art more than the nft itself.

This has happened with the Truth Labs tokens holders where they have changed their base URI to a ridiculous image making the holders feel "being rugged". https://www.web3isgoinggreat.com/single/goblintown-nft-images-all-changed-to-an-illustrated-middle-finger-in-protest-about-royalties


Some embraced the new NFTs, while others accused Truth Labs of "rugging". Some people were horrified by the fact that NFTs that they owned could be changed after the fact without their consent, a fact they were not previously aware of. One owner wrote, "So your telling me I spent $1,000s of dollars and have 10 goblintowns for them all to now be dudes shaking their weiners?"

Although it might not a have serious issues in staking nfts this might still pose significant risk on the token holder's minds if the attached art is important to them.

Attack Scenario\ Owner of stakingPositionManager will call the setBaseURI function with any arbitrary art folder and do it in a single transaction.

function setBaseURI(string memory newBaseURI) external onlyOwner {
        baseURI = newBaseURI;
    }

Attachments N/A

  1. Proof of Concept (PoC) File N/A

  2. Revised Code File (Optional) Allow two step change of base URI and have a timelock of at least 2 to 3 days so that users are aware of this change and they can make their investment decisions whether to keep the NFTs or sell them.

0xumarkhatab commented 6 months ago

This was accidently submitted twice . please ignore this one #48 is original