Blur Exchange contest - Jeiwan's results

Lines of code

https://github.com/code-423n4/2022-10-blur/blob/main/contracts/matchingPolicies/StandardPolicyERC1155.sol#L33 https://github.com/code-423n4/2022-10-blur/blob/main/contracts/matchingPolicies/StandardPolicyERC1155.sol#L59

Vulnerability details

Impact

Buyers of ERC1155 tokens will always get 1 token no matter what amount is specified in the order.

Proof of Concept

StandardPolicyERC1155 always returns 1 as trade amount:

• https://github.com/code-423n4/2022-10-blur/blob/main/contracts/matchingPolicies/StandardPolicyERC1155.sol#L33
• https://github.com/code-423n4/2022-10-blur/blob/main/contracts/matchingPolicies/StandardPolicyERC1155.sol#L59

This is correct for ERC721 tokens, but not for ERC1155 since the standard allows to mint multiple tokens with the same ID.

// tests/execution.test.ts
it('transfers only one ERC1155 token [audit]', async () => {
  await mockERC1155.mint(alice.address, tokenId, 10);
  sell = generateOrder(alice, {
    side: Side.Sell,
    tokenId,
    amount: 10, // Alice sells 10 tokens
    collection: mockERC1155.address,
    matchingPolicy: matchingPolicies.standardPolicyERC1155.address,
  });
  buy = generateOrder(bob, {
    side: Side.Buy,
    tokenId,
    amount: 10, // Bob expects to buy 10 tokens
    collection: mockERC1155.address,
    matchingPolicy: matchingPolicies.standardPolicyERC1155.address,
  });
  sellInput = await sell.pack();
  buyInput = await buy.pack();

  await waitForTx(exchange.execute(sellInput, buyInput));

  // Bob receives only 1 token...
  expect(await mockERC1155.balanceOf(bob.address, tokenId)).to.be.equal(1);
  // but pays the full price.
  await checkBalances(
    aliceBalance,
    aliceBalanceWeth.add(priceMinusFee),
    bobBalance,
    bobBalanceWeth.sub(price),
    feeRecipientBalance,
    feeRecipientBalanceWeth.add(fee),
  );
});

Recommended Mitigation Steps

In StandardPolicyERC1155, ensure that a correct amount of tokens to be sold/bought is returned.