Open HKskn opened 4 months ago
In the validateLoanOffer function, the token and tokenSignature are generated through our own wallet on the backend. Additionally, even if the user does not have the tokenId of collection X, they will encounter an error during the NFT transfer that should occur after this function. We believe there is a misunderstanding here.
SLG-05M: Insecure Loan Key Generation
Description:
The
SalvorLending
contract will generate unique keys per loan to be able to track their fulfilment state, however, the way these keys are generated are prone to collisions and generally insecure.Impact:
It is presently possible to hijack the fulfilment of a loan offer trivially by using the same NFT contract and
salt
even though the token ID of the hijacked loan offer may not be held by the user.Example:
Recommendation:
We advise the code to utilize the full loan offer hashes as keys instead of the constructed ones via
LibLending::hashKey
, ensuring that a single adjustment in the loan offer data will lead to an entirely different fulfilment entry being queried.