Sablier
Sablier
DeFiFoundry
53,440 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Malicious third party can burn NFT without recipient Permission.

0xgenaudits

Summary

Malicious third party can burn NFT without recipient Permission.

Vulnerability Details

Malicious third party can burn NFT without recipient Permission.

there is 3 reasons why recipient will approve the third party, and each one of them is different the recipient could approve third party to:

  1. to transferFrom the NFT.

  2. to withdraw funds.

  3. to burn the NFT

as we see here the 3 reason are completely different.
the problem occurs when recipient wants third party only to withdraw the funds recipient must first approve the recipient to withdraw the funds after third party withdraw the funds the approval is not reset.
recipient wants third party to withdraw amount of assets but not to transfer the NFT or burn it.

Lets see this Scenario:

  1. Recipient wants third party only to withdraw funds.

  2. Recipient approve third party to withdraw funds using approve function.

  3. Third party withdraw funds and status isDepleted.

  4. Since the third party has withdrawn all funds, the third party no longer needs approval.

  5. But in this case third party still has lot of power controlling NFT like burn/transferFrom.

The big problem is that the assets are at risk and the user does not have many options to control the approval process,
for example third party could withdraw and burn in same transaction which means the recipient can't even reset the approval.
and this will undermine the user’s options in how to use his NFT because the protocol is designed to facilitate payments
for cryptocurrencies, and the recipient of these funds must have many options for how to use these funds,
for example: To sell the NFT or allow another protocol to withdraw funds only, etc. As long as the user has complete
freedom in how to use these funds, he may decide to invest those funds in a new project without having
any fear that this project is able to Burn/transfer NFT.

Approve should be reset after one use, and when recipient wants to burn the NFT he could approve it again.
The NFT is tradable even with 0 amount(isDepleted)
eg: https://opensea.io/assets/ethereum/0xafb979d9afad1ad27c5eff4e27226e3ab9e5dcc9/14045

POC: file test/integration/concrete/lockup-linear/create-with-timestamps/createWithTimestamps.t.sol

function test_TBurn() external {
uint40 timestamp = uint40(block.timestamp);
address recipient = 0x03E9b88f4b1406163Ef9eC4875A52e1e55953eC1;
uint256 streamId = createDefaultStreamWithTimestamps(
LockupLinear.Timestamps({
start: timestamp,
cliff: timestamp + 200,
end: timestamp + 500
})
);
vm.warp(timestamp + 700);
vm.startPrank(recipient);
lockupLinear.approve(address(this), streamId);
vm.stopPrank();
// @notice withdraw funds to non-recipient address, which require approval.
lockupLinear.withdraw(streamId, address(this), lockupLinear.streamedAmountOf(streamId));
// @audit burn NFT this is against recipient wiling.
lockupLinear.burn(streamId);
}

Impact

  1. The user may suffer financial losses.

  2. This creates many restrictions on the user in how they can use their NFT.

Tools Used

manual

Recommendations

Approve should be reset after one use, and when recipient wants to burn the NFT he could approve it again.

Updates

Lead Judging Commences

inallhonesty Lead Judge
over 1 year ago
inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice
0xgenaudits Submitter
over 1 year ago
0xgenaudits Submitter
over 1 year ago
0xgenaudits Submitter
over 1 year ago
0xgenaudits Submitter
over 1 year ago
inallhonesty Lead Judge
about 1 year ago
0xgenaudits Submitter
about 1 year ago
0xgenaudits Submitter
about 1 year ago
0xgenaudits Submitter
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
0xgenaudits Submitter
about 1 year ago

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.