b0g0_ctf - Unauthorized Withdrawal via NFT Transfer

[mo-hak]

𝗦𝗲𝘃𝗲𝗿𝗶𝘁𝘆:

Medium

Description of the Bug:

mapping(address => uint256) public deposits;
When a user deposits ETH and receives an NFT, the 𝐝𝐞𝐩𝐨𝐬𝐢𝐭𝐬 𝐦𝐚𝐩𝐩𝐢𝐧𝐠 is updated to reflect the deposited amount mapped to the initial depositor. However, if the NFT is transferred to another address via 𝐭𝐫𝐚𝐧𝐬𝐟𝐞𝐫 𝐟𝐮𝐧𝐜𝐭𝐢𝐨𝐧 from erc721 (as it is not overridden), 𝐭𝐡𝐞 𝐝𝐞𝐩𝐨𝐬𝐢𝐭𝐬 𝐦𝐚𝐩𝐩𝐢𝐧𝐠 𝐢𝐬 𝐧𝐨𝐭 𝐮𝐩𝐝𝐚𝐭𝐞𝐝 𝐭𝐨 𝐫𝐞𝐟𝐥𝐞𝐜𝐭 𝐭𝐡𝐢𝐬 𝐭𝐫𝐚𝐧𝐬𝐟𝐞𝐫 𝐭𝐨 𝐭𝐡𝐞 𝐧𝐞𝐰 𝐨𝐰𝐧𝐞𝐫. This allows the new owner of the NFT to withdraw ETH without having deposited any, leading to unauthorized withdrawals.

Impact:

Underflow Errors: Subtracting the deposit amount from an address with zero balance could cause underflow errors, leading to unexpected behavior or contract failure. And the original owner cant also withdraw as it is not the current owner. This would lead to 𝐝𝐞𝐧𝐢𝐚𝐥 𝐨𝐟 𝐬𝐞𝐫𝐯𝐢𝐜𝐞

Solution:

To prevent the vulnerability, the contract should be modified to ensure that only the original depositor can withdraw their ETH. This can be achieved by tracking the original depositor for each token ID and ensuring that only this address can call the withdraw function.

[BogoCvetkov]

Valid! Already submitted by another auditor -> #22