Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-05-AJNA-FINDINGS-ISSUES-466
HistoryMay 11, 2023 - 12:00 a.m.

mint() function: Rogue lenders/attackers could mint multiple/endless position NFTs for their SAME Ajna pool deposits/LPs, when they're supposed to be able to mint only one position NFT per lender per LP per pool.

2023-05-1100:00:00
Code4rena
github.com
5
rogue lender
attackers
nft inflation
reward distribution
unfair advantage
mitigation
JSON

Lines of code

Vulnerability details

Impact

The current implementation of the mint function allows a lender to mint multiple position NFTs for the same Ajna pool deposit. This could lead to an inflation of NFTs and potentially disrupt the system’s reward distribution, as the lender could stake these multiple NFTs and claim more rewards than they should. This could also result in an unfair advantage for such lenders over others who abide by the intended one NFT per lender per pool per total LP rule.

Proof of Concept

The mint function currently does not check whether an NFT has already been minted for the same Ajna pool deposit by the same lender. This allows the same lender to mint multiple NFTs for the same pool deposit.

Here’s an example of how a rogue lender could exploit this:
// First NFT
mint({pool: myPool, poolSubsetHash: someHash, recipient: myAddress});
// Second NFT for the same pool deposit
mint({pool: myPool, poolSubsetHash: someHash, recipient: myAddress});

The lender can repeat this process and mint an arbitrary number of NFTs for the same pool deposit, which is not the intended behavior.

Tools Used

VSC.

Recommended Mitigation Steps

To prevent a lender from minting multiple NFTs for the same Ajna pool deposit, it is recommended to introduce a mapping that keeps track of whether a position NFT has already been minted for a specific lender and pool deposit. In the mint function, check this mapping before minting a new NFT, and revert the transaction if an NFT for the same pool deposit has already been minted by the same lender.

Here’s a simple example of how such a check could be implemented:

// Mapping to track whether a position NFT has already been minted
// for a specific lender and pool deposit
mapping(address => mapping(address => bool)) private _minted;

function mint(MintParams calldata params_) external override nonReentrant returns (uint256 tokenId_) {
// Check if a position NFT has already been minted for this lender and pool deposit
require(!minted[msg.sender][params.pool], “Position NFT already minted for this pool deposit”);

// ... rest of the mint function

// Mark that a position NFT has been minted for this lender and pool deposit
_minted[msg.sender][params_.pool] = true;

}

This way, a lender can only mint one position NFT per Ajna pool deposit, as intended, preventing the minting of multiple NFTs for the same deposit.

Assessed type

Other

The text was updated successfully, but these errors were encountered:

All reactions

JSON