Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The buyer of the the NFT position can be front-run by the seller #196

Closed
code423n4 opened this issue May 9, 2023 · 2 comments
Closed

The buyer of the the NFT position can be front-run by the seller #196

code423n4 opened this issue May 9, 2023 · 2 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-c QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-core/src/PositionManager.sol#L352

Vulnerability details

Impact

Position owners are able to list an NFT that represents their position on secondary markets. When a buyer purchases this NFT the owner of it is able to front-run the transaction and call redeemPositions(). By calling this the owner is able to transfer all of the lp from the contract to themselves. At this point the NFT has lost most all of its value yet the buyer will still end up buying it. Loss of funds for the buyer.

Proof of Concept

The value of this NFT is derived from the value of that the position holds. Which allows the following to be possible:

Alice owns a position that is worth 10 eth
Alice mints an NFT to represent her position
Alice offers her nft on a secondary market for 9 eth
Bob sees the good deal and makes a transaction to buy the position for 9 eth
Alice front-runs Bob and calls redeemPositions()
Alice no has the 10 eth worth of lp
Bob's transaction completes and he gets a worthless NFT
Alice gets Bobs 9 eth

Alice 19 eth
Bob 0 eth and a worthless NFT

Tools Used

Manual Analysis

Recommended Mitigation Steps

One solution would be to automatically burn the NFT when the position has been redeemed.

Assessed type

Timing
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels May 9, 2023
code423n4 added a commit that referenced this issue May 9, 2023
@code423n4
0xLanterns issue #196
31f886d
@grandizzy grandizzy mentioned this issue May 15, 2023
Merged
@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels May 18, 2023
@c4-judge
Copy link
Contributor

Picodes changed the severity to QA (Quality Assurance)

@c4-judge
Copy link
Contributor

Picodes marked the issue as grade-c

@c4-judge c4-judge added grade-c unsatisfactory does not satisfy C4 submission criteria; not eligible for awards labels May 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-c QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@code423n4 @c4-judge