sol-like-a-pro icon indicating copy to clipboard operation
sol-like-a-pro copied to clipboard

Published 20 hours ago verified publisher icon modagavr

RentableNFT finishRenting vulnerability to return transferred token

Open SamWarden opened this issue 3 years ago • 3 comments

RentableNFT finishRenting allows a lord to return a transferred token from the new owner if he is the last renter. A possible RentableNFT finishRenting abuse algorithm:

  1. An owner of a token rentOut it to a renter.
  2. Waits for the rental to expire and returns the token back.
  3. The owner gives/sells the token again to the same renter. (Transfer)
  4. Despite the fact that now the real owner of the token is the renter, the former owner has an opportunity to return the token back at any time through the same finishRenting.

To fix this, just add a check that the token is rented before returning it to its lord.

SamWarden avatar Jul 03 '22 18:07 SamWarden

A test to demonstrate abuse of the vulnerability https://github.com/SamWarden/sol-like-a-pro/blob/11e4669cf6e4c3503a506739164e66b81ebc7ba6/test/rentable-nft/RentableNFT.test.ts#L126

SamWarden avatar Jul 03 '22 18:07 SamWarden

This is my fix option #3

SamWarden avatar Jul 03 '22 18:07 SamWarden