search

wise-foundation / lending-audit

5 stars 4 forks source link

[PNF-04M] Potentially Insecure Position Reservation Workflow #130

Open vm06007 opened 11 months ago

vm06007 commented 11 months ago

PNF-04M: Potentially Insecure Position Reservation Workflow

Type Severity Location
Logical Fault PositionNFTs.sol:L61-L63

Description:

The PositionNFTs::reservePositionForUser function will permit any user to reserve a position for another. As a result, a PositionNFTs::reservePosition call may fail unexpectedly by another user reserving the position in advance.

Impact:

It is presently possible to hijack a PositionNFTs::reservePosition / PositionNFTs::reservePositionForUser call and force it to fail via an on-chain race condition.

Example:

function reservePosition()
    external
    returns (uint256)
{
    return _reservePositionForUser(
        msg.sender
    );
}

function reservePositionForUser(
    address _user
)
    external
    returns (uint256)
{
    return _reservePositionForUser(
        _user
    );
}

function _reservePositionForUser(
    address _user
)
    internal
    returns (uint256)
{
    if (reserved[_user] > 0) {
        revert AlreadyReserved();
    }

Recommendation:

We advise the PositionNFTs::_reservePositionForUser function to yield the reserved[_user] position instead of reverting with an AlreadyReserved error to ensure that smart contracts relying on PositionNFTs::reservePosition / PositionNFTs::reservePositionForUser calls do not fail.

vm06007 commented 11 months ago

Resolved in: https://github.com/wise-foundation/lending-audit/pull/129