For consistency, should always check if asset is not frozen for any createShortRecord function call from non admin or dao
Summary
We should check the asset's frozen status before creating short records in non-admin functions.
Vulnerability Details
Short records are created in four places: OwnerFacet, BidOrderFacet, LibOrders, and LibShortRecord. Except for OwnerFacet (restricted to DAO), other places need a check for the asset's frozen status. While BidOrderFacet and AskOrdersFacet have this check, LibShortRecord doesn't.
-
OwnerFacet
(See OwnerFacet#createMarket) -
BidOrderFacet
(See BidOrderFacet#createBid => BidOrderFacet#_createBid => BidOrderFacet#bidMatchAlgo => BidOrderFacet#matchlowestSell) -
LibOrders
(See AskOrdersFacet#createAsk => LibOrders#sellMatchAlgo => LibOrders#matchIncomingSell => LibOrders#matchIncomingShort) -
LibShortRecord
(See ERC721Facet#transferFrom => LibShortRecord#transferShortRecord)
Ignoring OwnerFacet#createMarket since only the DAO can use it.
BidOrderFacet#createBid and AskOrdersFacet#CreateAsk have the isNotFrozen check.
LibShortRecord#transferFrom does not have this check.
Impact
Without this check in LibShortRecord, short records might be created even if the asset is frozen, which is inconsistent with other functions' behaviors.
Tools Used
Manual
Recommendations
Include the isNotFrozen check in the LibShortRecord#transferFrom function.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.