Platform: Code4rena
Start Date: 08/11/2022
Pot Size: $60,500 USDC
Total HM: 6
Participants: 72
Period: 5 days
Judge: Picodes
Total Solo HM: 2
Id: 178
League: ETH
Rank: 48/72
Findings: 1
Award: $36.34
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: RaymondFam
Also found by: 0x1f8b, 0x52, 0xSmartContract, 0xc0ffEE, 0xhacksmithh, 8olidity, Awesome, BClabs, Bnke0x0, Chom, Deivitto, Hashlock, IllIllI, Josiah, KingNFT, Nyx, R2, ReyAdmirado, Rolezn, SamGMK, Sathish9098, SinceJuly, V_B, Vadis, Waze, a12jmx, adriro, ajtra, aphak5010, bearonbike, bin, brgltd, carlitox477, carrotsmuggler, cccz, ch0bu, chaduke, datapunk, delfin454000, erictee, fatherOfBlocks, fs0c, horsefacts, jayphbee, ktg, ladboy233, pashov, perseverancesuccess, rbserver, ret2basic, tnevler, zaskoh
36.3434 USDC - $36.34
if (tokenTransfersLength > 0) _returnERC20TokensIfAny(tokenTransfers, originator); _returnETHIfAny(originator);
These two lines will give the accidentally sent tokens and ETH to the next originator for free!
If LooksRareAggregator is used to sell NFTs / mass accept offers, ERC721 or ERC1155 must be approved by the LooksRareAggregator contract.
Hackers may hack into the governance private key and whitelist a malicious contract to perform ERC721.transferFrom(victim, attacker, tokenId) on the delegated call
(bool success, bytes memory returnData) = singleTradeData.proxy.delegatecall(proxyCalldata);
#0 - c4-judge
2022-11-21T17:08:19Z
Picodes marked the issue as grade-b
#1 - 0xhiroshi
2022-11-24T18:25:13Z
If someone accidentally sends ERC20 / ETH to the LooksRareAggregator contract, the next user using the aggregator will be given these token - invalid, it's free for all LooksRareAggregator may be used to sell NFTs / mass accept offers instead of buying them in the future. Expose a risk for a hacker to steal approved NFTs in case the governance key got compromised - invalid, there is no code to sell NFT in this contract
#2 - c4-sponsor
2022-11-24T18:25:17Z
0xhiroshi marked the issue as sponsor disputed
#3 - Picodes
2022-12-11T22:20:16Z
The second one is valid to me has any allowance to LooksRareAggregator or ERC20EnabledLooksRareAggregator could be exploited by a malicious owner: you just need to addFunction.
#4 - 0xhiroshi
2022-12-12T08:26:05Z
@Picodes ERC20EnabledLooksRareAggregator has no owner, and if we want to add a function to sell NFTs, we will follow a similar architecture as ERC20EnabledLooksRareAggregator, which does not grant NFT approvals to LooksRareAggregator so even if LooksRareAggregator is compromised the attacker cannot transfer NFTs out of users' wallets.
#5 - Picodes
2022-12-12T08:53:38Z
You are right, my bad