Open vm06007 opened 11 months ago
The PositionNFTs::reservePositionForUser function will permit any user to reserve a position for another. As a result, a PositionNFTs::reservePosition call may fail unexpectedly by another user reserving the position in advance.
PositionNFTs::reservePositionForUser
PositionNFTs::reservePosition
It is presently possible to hijack a PositionNFTs::reservePosition / PositionNFTs::reservePositionForUser call and force it to fail via an on-chain race condition.
function reservePosition() external returns (uint256) { return _reservePositionForUser( msg.sender ); } function reservePositionForUser( address _user ) external returns (uint256) { return _reservePositionForUser( _user ); } function _reservePositionForUser( address _user ) internal returns (uint256) { if (reserved[_user] > 0) { revert AlreadyReserved(); }
We advise the PositionNFTs::_reservePositionForUser function to yield the reserved[_user] position instead of reverting with an AlreadyReserved error to ensure that smart contracts relying on PositionNFTs::reservePosition / PositionNFTs::reservePositionForUser calls do not fail.
PositionNFTs::_reservePositionForUser
reserved[_user]
AlreadyReserved
Resolved in: https://github.com/wise-foundation/lending-audit/pull/129
PNF-04M: Potentially Insecure Position Reservation Workflow
Description:
The
PositionNFTs::reservePositionForUser
function will permit any user to reserve a position for another. As a result, aPositionNFTs::reservePosition
call may fail unexpectedly by another user reserving the position in advance.Impact:
It is presently possible to hijack a
PositionNFTs::reservePosition
/PositionNFTs::reservePositionForUser
call and force it to fail via an on-chain race condition.Example:
Recommendation:
We advise the
PositionNFTs::_reservePositionForUser
function to yield thereserved[_user]
position instead of reverting with anAlreadyReserved
error to ensure that smart contracts relying onPositionNFTs::reservePosition
/PositionNFTs::reservePositionForUser
calls do not fail.