Full Report
Bunker Finance is a borrow and lend platform specifically for getting money for NFTs as collateral. Essentially, you can fund loans by using NFTs. When depositing NFTs as collateral on Bunker, the users receive a bNFT or cNFT. This is a wrapper around the underlying NFT type (ERC-1155, ERC-721 or CryptoPunk). This demonstrates ownership over a specific NFT. When minting a cNFT for ERC-721 or Cryptopunks, the parameter amounts is NOT checked. This means multiple ownership tokens can be minted, while the NFT itself is still in the contract. Instead of a 1 to 1 relationship there is a 1 to many relationship, which is real bad for unique objects. Now, an attacker can use ONE cNFT to redeem there original NFT while still having leftover cNFT. Practically, since this is a unique token, if an attacker sold the NFT on this platform, they would simply be able to redeem it using the extra cNFT token! This steals the token from the other user. Overall, neat bug with a new proof of concept included in the blog that uses hardhat and a forked network.
Analysis Summary
# Vulnerability: Bunker Finance bNFT/cNFT Amount Manipulation Leading to NFT Theft
## CVE Details
- CVE ID: Not explicitly mentioned in the source.
- CVSS Score: Not explicitly mentioned in the source.
- CWE: CWE-20 (Improper Input Validation) or CWE-840 (Improper Restriction of Operations within the Bounds of a Resource - related to incorrect supply/ownership tracking).
## Affected Systems
- Products: Bunker Finance Lending Platform (specifically the v1 CryptoPunks lending pool and the associated cNFT/bNFT contract logic).
- Versions: V1 of the protocol.
- Configurations: Applicable when minting cNFTs (wrapper tokens) for ERC-721 or CryptoPunk NFTs, where the input parameter `amounts` is checked insufficiently or ignored.
## Vulnerability Description
The core vulnerability lies in the minting function for the ERC-1155 compliant wrapper tokens (cNFTs) created to represent deposited ERC-721s or CryptoPunks collateral. For these unique NFT types, the `amounts` parameter passed during the `mint` call was not validated or enforced to be '1'. This allowed an attacker to mint multiple cNFTs (e.g., 5 cNFTs) representing a single underlying NFT.
If an attacker redeems the NFT using only one cNFT, they are left with excess cNFTs (4 in the example). Critically, if the underlying NFT is subsequently sold to another user (Alice) and redeposited, the attacker still holds these excess cNFTs. The attacker can then use one of their leftover cNFTs to call `redeem` again, effectively stealing the NFT from the new owner (Alice), leading to a 1-to-many ownership relationship where a 1-to-1 relationship was expected.
## Exploitation
- Status: PoC available. The article states a Proof of Concept (PoC) exploit was written by Shenwilly to demonstrate the attack flow using Hardhat and a forked network.
- Complexity: Low (assuming understanding of the contract interaction).
- Attack Vector: Network (Remote interaction with the smart contract).
## Impact
- Confidentiality: None (Focus is on asset control).
- Integrity: High (Allows an attacker to illicitly change the ownership of deposited collateral NFTs by taking possession of them after they are sold to a new, legitimate user).
- Availability: Low (The availability of the *platform* was paused for new deposits, but underlying user assets faced integrity risk).
## Remediation
### Patches
- The development team has updated the `mint` function in the cNFT contract to correctly enforce input constraints.
- Updates were made to the `mint`, `seize`, and `redeem` functions across the protocol (to be included in v2).
- **Fix:** For all non-ERC1155 assets (including ERC-721 and Punks), the `amounts` parameter is now strictly checked and enforced to be exactly '1'.
- These fixes are scheduled for inclusion in Bunker Finance **v2**.
### Workarounds
- New deposits into the v1 CryptoPunks pool were paused immediately upon notification.
- Assets can still be withdrawn from the paused v1 pool at any time.
## Detection
- **Indicators of Compromise (IOCs):** Transactions where the `mint` function for cNFTs corresponding to ERC-721/Punks was called with an `amount` value greater than 1. Transactions where an attacker redeems collateral associated with a token ID they previously held, despite already having redeemed it once.
- **Detection methods and tools:** Monitoring the input parameters of mint transactions targeting the cNFT contract for non-1 amounts related to unique asset types, or analyzing post-sale redemption attempts by previous owners.
## References
- Vendor advisories: Bunker.finance Vulnerability Postmortem — BNft Amount Manipulation (April 26, 2022).
- Relevant links - defanged: hxxps://medium.com/@bunker_finance/bunkerfinance-vulnerability-postmortem-bnft-amount-manipulation-1840a517d34f