Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Anyone can call memorializePositions in PositionManager #105

Closed
code423n4 opened this issue May 7, 2023 · 4 comments
Closed

Anyone can call memorializePositions in PositionManager #105

code423n4 opened this issue May 7, 2023 · 4 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-488 partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) upgraded by judge Original issue severity upgraded from QA/Gas by judge

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-core/src/PositionManager.sol#L170-L172

Vulnerability details

Impact

In the PositionManager contract user can call the memorializePositions function to transfer his LP to the position manager, this will save his LP information and bind it to the NFT. To do this he first needs to mint an NFT for the pool of his choice and then approve a position manager to hold his LP. Ajna doesn't restrict access to the memorializePositions so anyone can call it and transfer LP to the position manager without the knowledge of the NFT owner.

Proof of Concept

Let's say Alice minted a token and approved PositionManager to use her LP, but she doesn't have intention to memorize her position right now. This opens up the possibility for the griefer account to call memorializePositions on it, causing Alice's liquidity to be transferred to the position manager at the wrong time.

Tools Used

Manual review

Recommended Mitigation Steps

Add _isApprovedOrOwner(msg.sender, tokenId_) check in memorializePositions

Assessed type

Access Control
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels May 7, 2023
code423n4 added a commit that referenced this issue May 7, 2023
@code423n4
SpicyMeatball issue #105
bcfe3a1
@c4-judge
Copy link
Contributor

Picodes marked the issue as duplicate of #488

@Picodes
Copy link

Picodes commented May 29, 2023

The impact described does not qualify for High Severity - the loss of funds scenario without external requirements is not obvious.

@c4-judge
Copy link
Contributor

Picodes marked the issue as partial-50

@c4-judge c4-judge added partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) 3 (High Risk) Assets can be stolen/lost/compromised directly upgraded by judge Original issue severity upgraded from QA/Gas by judge and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels May 29, 2023
@c4-judge
Copy link
Contributor

Picodes changed the severity to 3 (High Risk)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-488 partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) upgraded by judge Original issue severity upgraded from QA/Gas by judge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Picodes @code423n4 @c4-judge