Closed sherlock-admin2 closed 8 months ago
2 comment(s) were left on this issue during the judging contest.
karanctf commented:
qa
takarez commented:
invalid: there is nothing like selling the nft; there is only transfer which user knows where he sent it to
Bauer
high
If the NFT owner changes and there are still positions that have not been executed, it will result in financial losses for the user
Summary
Vulnerability Detail
When a user calls
DelayedOrder.announceLeverageClose()
to prepare for closing a position andLimitOrder.announceLimitOrder()
for a limit order closure, the protocol locks the user's NFT, preventing it from being transferred. The NFT remains locked during the cancellation and execution of these requests. There are two attack scenarios:Scenario 1:
1.User A calls
DelayedOrder.announceLeverageOpen()
to create a position and obtains an NFT. 2.User A callsLimitOrder.announceLimitOrder()
to create a limit order with a price threshold that won't be executed in the short term. 3.User A sells the NFT on the secondary market. 4.User B purchases the NFT. 5.User A detects the transaction in the transaction pool and front-runs by executingDelayedOrder.announceLeverageClose()
andLimitOrder.cancelLimitOrder()
in the same transaction, unlocking the NFT. This allows User B to successfully purchase the NFT. 6.User B successfully purchased the NFT_executeLeverageClose()
is called. In this function, the protocol retrieves the order information based on_announcedOrder[account]
and then callsLeverageModule.executeClose()
. Within this function, the protocol settles the position based on the token ID, burns the NFT, and transfers funds to the account. However, at this point, the owner of the NFT has changed, resulting in financial loss for User B.