Foundation contest - Afanasyevich's results

Lines of code

https://github.com/code-423n4/2022-02-foundation/blob/main/contracts/mixins/NFTMarketPrivateSale.sol#L161-L174

Vulnerability details

Impact

As the current private sales implementation makes no use of nonces, it makes possible the following example scenario:

• Bob decides to sell his BAYC #1 NFT to Alice for 80 Ether through a private sale.
• Alice makes use of the signature given by Bob to buy it through buyFromPrivateSaleFor() function
• Alice now sets a buy price for that BAYC #1 NFT of 85 Ether. (MarketProxy address should be given approval by Alice)
• Bob regrets his decision and buys the BAYC #1 NFT from Alice for the 85 Ether.
• Now Bob sets a buy price for that BAYC #1 NFT of 100 Ether. (MarketProxy address should be given approval by Bob)
• If the previous steps are done before the deadline is expired, Alice can now reuse the signature to buy the BAYC #1 NFT once again for 80 Ether.

(As mappings are not correctly deleted Bob will not be able to put a new buy price after rebuying it from Alice. See my other submitted issues. But this is an issue that will be present once the problems with deleting the mappings are addressed)

Proof of Concept

https://github.com/code-423n4/2022-02-foundation/blob/main/contracts/mixins/NFTMarketPrivateSale.sol#L161-L174

Tools Used

N/A

Recommended Mitigation Steps

A nonce linked to the buyer should be included in the signature that is increased every time a signature is used.