OxTushar - No Validation of NFT Ownership or veAERO Validity in the Deposit Function of Receipt-veNFT Contract
#1006
Comments
sherlock-admin3
changed the title
Receipt-veNFT ContractReceipt-veNFT Contract
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
OxTushar
High
No Validation of NFT Ownership or veAERO Validity in the Deposit Function of
Receipt-veNFTContractSummary
The
depositfunction in the Receipt-veNFT contract lacks proper validation to ensure that the NFT being deposited is owned by the user or corresponds to a valid veAERO.https://github.com/sherlock-audit/2024-11-debita-finance-v3/blob/main/Debita-V3-Contracts/contracts/Non-Fungible-Receipts/veNFTS/Aerodrome/Receipt-veNFT.sol#L63
This oversight allows malicious users to deposit any random NFT, bypassing the intended logic of the protocol.
Root Cause
The deposit function does not verify whether the caller owns the NFT being deposited or whether the NFT is a valid veAERO. Without this check, users can deposit unrelated or invalid NFTs, potentially leading to protocol abuse or incorrect collateral calculations.
https://github.com/sherlock-audit/2024-11-debita-finance-v3/blob/main/Debita-V3-Contracts/contracts/Non-Fungible-Receipts/veNFTS/Aerodrome/Receipt-veNFT.sol#L63
• The contract does not check if msg.sender is the actual owner of tokenId before calling transferFrom.
• The function does not verify if the tokenId corresponds to a valid veAERO.
Internal pre-conditions
No response
External pre-conditions
No response
Attack Path
No response
Impact
Malicious users can deposit invalid NFTs, bypassing the requirement for legitimate assets.
This may lead to the issuance of rewards, incentives, or benefits based on fraudulent deposits.
PoC
No response
Mitigation
Verify that the tokenId belongs to the valid set of veAERO NFTs
Before calling transferFrom, ensure the caller owns the tokenId:
The text was updated successfully, but these errors were encountered: