Skip to content
This repository has been archived by the owner on Jan 12, 2025. It is now read-only.

coffiasd - malicious can by pass the operator or owner check #218

Closed
sherlock-admin4 opened this issue Jul 15, 2024 · 0 comments
Closed

coffiasd - malicious can by pass the operator or owner check #218

sherlock-admin4 opened this issue Jul 15, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin4
Copy link

sherlock-admin4 commented Jul 15, 2024
edited
Loading

coffiasd

High

malicious can by pass the operator or owner check

Summary

_requireOnlyOperatorOrOwnerOf function use msg.sender instead of tokenId owner lead to malicious by pass the OnlyOperatorOrOwnerOf check.

Vulnerability Detail

from code link

 function _requireOnlyOperatorOrOwnerOf(uint256 tokenId) internal view {
    // isApprovedOrOwner: caller has no rights on token
    require(ERC721Upgradeable._isAuthorized(msg.sender, msg.sender, tokenId), "FORBIDDEN");//@audit @<
}

OZ code ERC721Upgradeable.sol

  function _isAuthorized(address owner, address spender, uint256 tokenId) internal view virtual returns (bool) {
      return
          spender != address(0) &&
          (owner == spender || isApprovedForAll(owner, spender) || _getApproved(tokenId) == spender);
  }

from above code we can the first parameter of _isAuthorized is the owner of tokenID, however the protocol use msg.sender which lead to owner == spender check always return true.

test:

    function testByPassOperaterOrOwnerCheck() public {
        _stakingToken.mint(BOB, 2 ether);
        _stakingToken.mint(ALICE, 2 ether);

        //alice create position.
        vm.startPrank(ALICE);
        _stakingToken.approve(address(_pool), 1 ether);
        _pool.createPosition(1 ether, 1 days);
        vm.stopPrank();

        //eq tokenID owner
        assertEq(_pool.ownerOf(1),ALICE);

        vm.startPrank(BOB);
        _stakingToken.approve(address(_pool), 1 ether);
        _pool.addToPosition(1, 1 ether);
        vm.stopPrank();
    }

Impact

malicious can by pass the operator or owner check

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/MlumStaking.sol#L140-L143

Tool used

Foundry
Manual Review

Recommendation

     /**
      * @dev Check if a userAddress has privileged rights on a spNFT
      */
     function _requireOnlyOperatorOrOwnerOf(uint256 tokenId) internal view {
         // isApprovedOrOwner: caller has no rights on token
-        require(ERC721Upgradeable._isAuthorized(msg.sender, msg.sender, tokenId), "FORBIDDEN");
+        require(ERC721Upgradeable._isAuthorized(_ownerOf(tokenId), msg.sender, tokenId), "FORBIDDEN");//@audit @<
     }

Duplicate of #378
@github-actions github-actions bot added duplicate Medium A Medium severity issue. labels Jul 21, 2024
@sherlock-admin4 sherlock-admin4 added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jul 22, 2024
@sherlock-admin4 sherlock-admin4 changed the title Glorious Garnet Stallion - malicious can by pass the operator or owner check coffiasd - malicious can by pass the operator or owner check Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Jul 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin4