Loan offer's required collateral tokenId is not validated in some conditions, borrower can use any NFT to initiate loans #119
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Lines of code
https://github.com/pixeldaogg/florida-contracts/blob/7bacbe3f2b4c1bb6c87961e3553118a6e6c2dcee/src/lib/loans/MultiSourceLoan.sol#L850
Vulnerability details
Impacts
Loan offer's required collateral tokenId is not validated in some conditions, borrower can use any NFT to initiate loans.
Proof of concept
When a lender generate LoanOffer, they can either specify a specific NFT tokenId, or allow a collection offer (any tokenId within the NFT collection). LoanOffer and executionData's collateral Id match is checked in
_checkValidators()
.Based on code doc, a lender's LoanOffer struct -> the collateral tokenId required :
(1) Empty validator array input -> lender want the exact tokenId match;
(2) Single validator element input && _loanOffer.validators[0].validator == address(0) -> lender accepts any token in the collection;
(3) Non-empty validator array &&_loanOffer.validators[0].validator != address(0) -> lender wants offer validators to check the offer.
Edge case: A lender wants an exact tokenId match and the tokenId is 0.
Based on the code doc, an exact match check should be performed when no validators are given. So lender's LoanOffer will be: (1) _loanOffer.nftCollateralTokenId =0 ; (2) _loanOffer.validators.length == 0;
However, _checkValidators() will not check this loanOffer at all. Due to empty validator array is provided, exact tokenId match is not checked due to vulnerable check
if (_loanOffer.nftCollateralTokenId != 0){...
. In the else branch, for-loop will be directly skipped, and exit the function with no checks.(https://github.com/pixeldaogg/florida-contracts/blob/7bacbe3f2b4c1bb6c87961e3553118a6e6c2dcee/src/lib/loans/MultiSourceLoan.sol#L850)
emitLoan() →_processOffersFromExecutionData() → validateOfferExecution()→ _checkValidators()
As a result, a borrower can use any collateral tokenId when the lender requires tokenId 0.
Tools
Manual
Recommendations
Refactor the if control flow in _checkValidators() to always check tokenId for exact match if empty validator array
Assessed type
Other
The text was updated successfully, but these errors were encountered: