Closed sherlock-admin2 closed 8 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid
Invalid, this is a feature request. There is no core functionality broken here since users themselves can and are expected to manage their own positions
Assume a scenario where a position NFT owner approves another user as an operator for their positions using the approve().
This is not possible in the current system. If you mean approval of transfer of NFT then that means another user must first transfer this position NFT to themselves followed by any kind of order announcement.
imkapadia
high
Approved Operator can not call several functions
Summary
NFT position operator who is approved by NFT owner can not adjust position or close the position.
Vulnerability Detail
Functions like
announceLeverageAdjust()
andannounceLeverageClose()
of DelayedOrder contract andannounceLimitOrder()
of LimitOrder have validation checks that owner oftokenId
ismsg.sender
or not. Since a position NFT is tradable/transferrable (as confirmed by developer), if NFT owner approves another user to operate their NFT by callingapprove()
orsetApprovalForAll()
and approved operator call mentioned functions it will always revert.Proof of Concept:
approve()
.Impact
This issue limits the functionality of the announceLeverageAdjust(), announceLeverageClose() and announceLimitOrder() as it fails to recognize the approval status of operators. Due to this users have to suffer lose as position can't be adjusted/closed at desired time.
Code Snippet
https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/DelayedOrder.sol#L233 https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/LimitOrder.sol#L60 https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/LimitOrder.sol#L179-L183
Tool used
Manual Review
Recommendation
Allow operators of token's owner to call functions on behalf of owner.