Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nutty Spruce Octopus - Incorrect refund logic in _addLeveragePostCallback leads to potential fund misallocation #548

Open
sherlock-admin4 opened this issue Feb 17, 2025 · 0 comments
Open

Nutty Spruce Octopus - Incorrect refund logic in _addLeveragePostCallback leads to potential fund misallocation #548

sherlock-admin4 opened this issue Feb 17, 2025 · 0 comments

Comments

@sherlock-admin4
Copy link

Nutty Spruce Octopus

Medium

Incorrect refund logic in _addLeveragePostCallback leads to potential fund misallocation

Summary

The incorrect refund logic in _addLeveragePostCallback will cause a financial loss for the NFT operator as the remaining funds after flash loan repayment are always sent to the position NFT owner instead of the actual fund provider. This issue arises when the operator, rather than the owner, supplies the funds for leverage.

Root Cause

In _addLeveragePostCallback, the refund is sent to positionNFT.ownerOf(_props.positionId), assuming the owner is always the borrower. However, the borrower is the msg.sender in addLeverage, which may be an operator of the NFT rather than the actual owner. If the operator provides funds, they will not receive any refund, leading to unintended financial losses.

LeverageManager.addLeverage

LeverageManager._addLeveragePostCallback

Internal Pre-conditions

  1. An operator of an NFT position (not the owner) calls addLeverage and provides _userProvidedDebtAmt to reduce the flash loan amount.
  2. The leveraged position generates excess funds after repaying the flash loan.
  3. The contract incorrectly sends the excess funds to the position NFT owner instead of the operator who supplied them.

External Pre-conditions

N/A

Attack Path

  1. An operator of a position NFT calls addLeverage with _userProvidedDebtAmt to reduce the flash loan amount.
  2. The contract processes the leverage, repays the flash loan, and determines the remaining funds.
  3. Instead of refunding the remaining funds to the actual fund provider (the operator), the contract sends them to the NFT owner.
  4. The operator suffers an unintended financial loss as they do not receive the refund of their own contributed funds.

Impact

The NFT operator suffers a financial loss proportional to the remaining funds after flash loan repayment, as they are incorrectly sent to the NFT owner. The NFT owner gains an unintended financial benefit if they are not the actual fund provider.

PoC

No response

Mitigation

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin4