0xmahdirostami
commented
1 month ago Actually there is a check for the managed NFT manager, though it lacks of such a check for the NFT owner itself
Open hats-bug-reporter[bot] opened 1 month ago
0xmahdirostami
commented
1 month ago Actually there is a check for the managed NFT manager, though it lacks of such a check for the NFT owner itself
Github username: @agbanusi Twitter username: -- Submission hash (on-chain): 0xb22d944d6c8eea7d122a50327642c5950e81a09c2a1b9f14c501f537e6a5bafa Severity: medium
Description: Description\ On deposit in the
SingelTokenVirtualRewarderUpgradeable.solfile, thetokenIdis not verified which can lead to balance of non-existent token be increased.Attack Scenario\ The attack path is from the
ManagedNFTManagerUpgradeable.sol:onAttachToManagedNFTtoCompoundVeFNXManagedNFTStrategyUpgradeable.sol:onAttachtoSingelTokenVirtualRewarderUpgradeable.sol:depositAttachmentshttps://github.com/hats-finance/Fenix--0x9d7765a7ebd5b6322a30797a44a5428531970d3d/blob/353c8e8e24454336e805e5c0e11e4e9ae1491d03/contracts/nest/ManagedNFTManagerUpgradeable.sol#L176
https://github.com/hats-finance/Fenix--0x9d7765a7ebd5b6322a30797a44a5428531970d3d/blob/353c8e8e24454336e805e5c0e11e4e9ae1491d03/contracts/nest/CompoundVeFNXManagedNFTStrategyUpgradeable.sol#L79
https://github.com/hats-finance/Fenix--0x9d7765a7ebd5b6322a30797a44a5428531970d3d/blob/353c8e8e24454336e805e5c0e11e4e9ae1491d03/contracts/nest/SingelTokenVirtualRewarderUpgradeable.sol#L121