Light
DarkOne Bug Per Day
One H/M every day from top Wardens
Join over 1135 wardens!
Receive the email at any hour!
M-02 Unmitigated
mediumLines of code
Vulnerability details
C4 Issue
M-02: A malicious borrower can hijack any NFT with permit() function he rents
Comments
Users were able to call permit() on NFTs, which would approve the token for later being able to transfer them out of the wallet despite being rented.
Mitigation
PR-11: Prevent permit() tokens from validating permit signature in rental safe
- A Fallback policy has been created to solve the issue
- Calls to
permit()verify signatures on wallets viaisValidSignature(), like in the example provided in the reportisValidSignature()is implemented according to the interface described in EIP-1271, and returns the0x1626ba7evalue on success as described by the EIP
- The callback validates that the sender (the NFT verifying the permit) is not a whitelisted token, otherwise it will revert
With these additions, if a user calls permit() on a whitelisted token, isValidSignature() will revert. But if executed on any other contract/token, it will verify the signature as expected, approving the tokens.
Mitigation Problems
Impact
Unwhitelisting tokens will allow users to call permit() on the rented tokens, validate the signature, and approve the tokens for transferring them
Vulnerability Details
Whitelisting assets is an on/off switch.
isValidSignature() checks that the token is currently on the whitelisted assets list.
So, the moment a whitelisted asset is removed (so that no new rentals are created with it), the permit() function will be executable, as the isValidSignature() will not revert anymore.
Recommended Mitigation Steps
One option is to implement a bitmap for whitelistedAssets, as was done with other whitelists.
Conclusions
Insufficient Mitigation
Assessed type
Invalid Validation