DittoETH
Ditto
DeFiFoundryOracle
55,000 USDC
View results
Previous Next
Submission Details
Severity: high
Valid

The ownership of the NFT remains claimable even after the short record has been deleted.

0xaman

Summary

The protocol does support NFT for shot record holders. However, a vulnerability has been identified in the exitShortx function.

Vulnerability Details

Upon reviewing the ExitShortx functions, it has been noted that the code does not verify whether an NFT has been minted. Furthermore, if an NFT is indeed minted, the code does not proceed to revoke or eliminate the user's ownership of that NFT.

function test_NFTOwnerShipAfterExistShortRecord() public {
vm.prank(address(diamond));
token.mint(sender, DEFAULT_AMOUNT);
createShortAndMintNFT();
console.log(diamond.ownerOf(1));
exitShortWallet(Constants.SHORT_STARTING_ID, DEFAULT_AMOUNT, sender);
assertEq(getShortRecordCount(sender), 0);
// the owner must not be sender after exit shor record.
assertEq(diamond.ownerOf(1), address(sender));
}

Impact

The current impact is relatively minimal. However, it could potentially result in undefined or unpredictable ownership of NFTs in the future. however we are aware of the fact that the user still can't transfer this NFT.

Tools Used

Manual review

Recommendations

The system incorporates a 'burnNFT' function, which is designed to eliminate the ownership record of a NFT and its associated user. It is advisable to invoke this function only if a complete record exists and the user possesses the NFT. The following code snippet is provided for your reference:

+ // @audit : check if have NFT minted them call LibShortRecord.burnNFT()
+ if(s.nftMapping[short.tokenId].owner != address(0)){
+ LibShortRecord.burnNFT(short.tokenId);
+ }
LibShortRecord.deleteShortRecord(asset, msg.sender, id);
Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-562

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.