Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA Report #91

Open
code423n4 opened this issue Apr 7, 2022 · 1 comment
Open

QA Report #91

code423n4 opened this issue Apr 7, 2022 · 1 comment
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Summary

We list 2 non-critical findings here:

  • (Non) loanEndSeconds does not check valid loanId
  • (Non) Should use safe version of ERC721 functions

In conclusion, it's better to check the validity of the mapping’s key. And using a safe version of ERC721 functions is usually a better choice.

(Non) loanEndSeconds does not check valid loanId

Impact

In NFTLoanFacilitator.sol/loanEndSeconds(), it doesn’t check whether loanId is valid

Proof of Concept

https://github.com/code-423n4/2022-04-backed/blob/main/contracts/NFTLoanFacilitator.sol#L363

Recommended Mitigation Steps

Add check for loanId

(Non) Should use safe version of ERC721 functions

Impact

In NFTLoanFacilitator.sol, it uses IERC721Mintable(borrowTicketContract).mint which is not a good practice.

Proof of Concept

https://github.com/code-423n4/2022-04-backed/blob/main/contracts/NFTLoanFacilitator.sol#L102

https://github.com/code-423n4/2022-04-backed/blob/main/contracts/NFTLoanFacilitator.sol#L161

Recommended Mitigation Steps

Use safeMint instead of mint
@code423n4 code423n4 added bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Apr 7, 2022
code423n4 added a commit that referenced this issue Apr 7, 2022
@code423n4
rayn issue #91
0354230
@wilsoncusack wilsoncusack added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Apr 8, 2022
@wilsoncusack
Copy link
Collaborator

fixed loan end seconds with-backed/backed-protocol#73

@wilsoncusack wilsoncusack added the resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) label Apr 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax resolved Finding has been patched by sponsor (sponsor pls link to PR containing fix) sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wilsoncusack @code423n4