search

sherlock-audit / 2024-03-arrakis-judging

0 stars 0 forks source link

Ocean_Sky - Private vault ownership nft can be subject for honeypot attack #86

Closed sherlock-admin2 closed 1 month ago

sherlock-admin2 commented 1 month ago

Ocean_Sky

medium

Private vault ownership nft can be subject for honeypot attack

Summary

Private vault ownership nft can be subject for honeypot attack

Vulnerability Detail

Ownership of private vault is tokenized to nft to render them as transferable to other users. Transferable can mean sale of nft to marketplace or simply an exchange between two different users. A malicious seller of this nft ownership can take advantage of the situation by frontrunning the sale or transfer transaction by executing the withdraw function and drain the funds inside the vault. The buyer will end up receiving worthless nft.

Here is the withdraw function that can be executed without restriction in regards of transferring the vault nft ownership to other user.

File: ArrakisMetaVaultPrivate.sol
69:     function withdraw(
70:         uint256 proportion_,
71:         address receiver_
72:     )
73:         external
74:         onlyOwnerCustom
75:         returns (uint256 amount0, uint256 amount1)
76:     {
77:         (amount0, amount1) = _withdraw(receiver_, proportion_);
78: 
79:         emit LogWithdraw(proportion_, amount0, amount1);
80:     }

Proof of Concept

Consider this scenario

  1. User A, the current owner of private vault decided to sell his nft ownership to the marketplace.
  2. User B, see the nft item and interested to the funds inside the vault owned by the nft.
  3. User B, decided to buy the nft ownership of the said private vault and proceed to do buy transaction.
  4. User A, seeing the buy transaction and quickly frontruns the transaction with withdrawal of funds.
  5. User B, receive the nft ownership but the private vault already has no value or funds in there.

Impact

Lost of funds of the private vault right after the transfer.

Code Snippet

https://github.com/ArrakisFinance/arrakis-modular/blob/main/src/ArrakisMetaVaultPrivate.sol#L69-L79 https://github.com/ArrakisFinance/arrakis-modular/blob/main/src/abstracts/ArrakisMetaVault.sol#L230-L234 https://github.com/ArrakisFinance/arrakis-modular/blob/main/src/PALMVaultNFT.sol

Tool used

Manual Review

Recommendation

Implement a locking mechanism that prevents withdrawal of funds during the transfer.