An attacker can bypass the leverage position NFT locking mechanism
Summary
A leverage trader can still transfer his Position NFT eventhough he has a pending announced order by opening and closing a limit order which unlocks his NFT.
Vulnerability Detail
When a leverage trader announces an order like LeverageAdjust or LeverageClose his Position NFT should be locked so the owner cannot transfer it to others after creating an order.
But an attacker can still unlock his position NFT eventhough it has an open order waiting for execution , by opening a limit and instantly closing it. Because cancelLimitOrder() unlocks position NFT eventhough it has an open order created through DelayedOrders module.
First of all the Position NFT should be locked whenever a leverage trader opens an order, the margin will be transferred to the user who created the order instead of NFT owner at the time of order execution.
Attack steps
Alice owns a leveraged position NFT.
Alice calls announceLeverageClose() to close her leverage position, which will lock her position NFT to restrict transfers.
Now Alice creates a fake limit order by calling announceLimitOrder() of LimitOrder and then immediately cancels it using cancelLimitOrder() function , which unlocks her leverage position NFT.
Now the attacker can transfer her position NFT to Bob or some protocol which accepts this NFT as collateral(external protocol integration).
When the pending order created in step 2 executes after delay Alice will receive collateral instead Bob receiving the collateral who is the actual owner of NFT.
Impact
An attacker can bypass the leverage position NFT locking mechanism
0xvj
high
An attacker can bypass the leverage position NFT locking mechanism
Summary
A leverage trader can still transfer his Position NFT eventhough he has a pending announced order by opening and closing a limit order which unlocks his NFT.
Vulnerability Detail
When a leverage trader announces an order like
LeverageAdjust
orLeverageClose
his Position NFT should be locked so the owner cannot transfer it to others after creating an order.But an attacker can still unlock his position NFT eventhough it has an open order waiting for execution , by opening a limit and instantly closing it. Because
cancelLimitOrder()
unlocks position NFT eventhough it has an open order created throughDelayedOrders
module.First of all the Position NFT should be locked whenever a leverage trader opens an order, the margin will be transferred to the user who created the order instead of NFT owner at the time of order execution.
Attack steps
announceLeverageClose()
to close her leverage position, which will lock her position NFT to restrict transfers.announceLimitOrder()
ofLimitOrder
and then immediately cancels it usingcancelLimitOrder()
function , which unlocks her leverage position NFT.Impact
An attacker can bypass the leverage position NFT locking mechanism
Code Snippet
https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/DelayedOrder.sol#L298
https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/LimitOrder.sol#L76
https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1/src/LimitOrder.sol#L108
Tool used
Manual Review
Recommendation
Don't unlock the position NFT in
cancelLimitOrder()
function in LimitOrder module if the user already have a pending leverage adjust/close order.Duplicate of #48