Skip to content

Latest commit

 

History

History
49 lines (31 loc) · 2.32 KB

017.md

File metadata and controls

49 lines (31 loc) · 2.32 KB
Raw

Zesty Amber Kestrel

Medium

There is no check to ensure that the NFT collateral has been transferred correctly.

Summary

https://github.com/sherlock-audit/2024-11-debita-finance-v3/blob/main/Debita-V3-Contracts/contracts/DebitaBorrowOffer-Factory.sol#L143-L144 In thecontract, it checks whether the balance of an IERC20 token has successfully met the required amount, but it does not check the balance of an IERC721 token. If the user uses an IERC721 token as collateral, this check will fail, and it is also uncertain whether the IERC721 token has successfully entered the contract.DebitaBorrowOffer-Factory.sol

Root Cause

It only checks if the collateral staked by the user is an IERC20 token, and confirms whether the DebitaBorrowOffer-Factory.sol contract has enough IERC20 tokens. This is an incorrect check, as if _collateral is an IERC721 token, this check will cause the contract to fail.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

Impact

An attacker could use an IERC721 token as collateral. When the attacker takes out a loan and deposits the IERC721 token as collateral, it will cause the transaction to fail. If the attacker repeatedly executes the same transaction, it could potentially cause the contract to become unresponsive.

A legitimate user attempting to use an IERC721 token as collateral for a loan will also encounter an error, preventing the transaction from being processed, which would break the functionality of the contract.

An attacker can use an IERC721 token as collateral without successfully transferring it to the contract, effectively enabling them to borrow funds without providing any actual collateral.

PoC

No response

Mitigation

To enhance the contract's validation functionality, it should not only check if the IERC20 collateral has been successfully deposited into the DebitaBorrowOffer-Factory.sol contract, but also account for the case where the collateral is an IERC721 token. Below is the suggested modified code:

if (_isNFT) {
    address nftOwner = IERC721(_collateral).ownerOf(_receiptID);
    require(nftOwner == address(borrowOffer), "NFT not transferred correctly");
} else {
    uint balance = IERC20(_collateral).balanceOf(address(borrowOffer));
    require(balance >= _collateralAmount, "Invalid balance");
}