Back to Junnon's contests

Blur Exchange contest - Junnon's results

An NFT exchange for the Blur marketplace.

General Information

Platform: Code4rena

Start Date: 05/10/2022

Pot Size: $50,000 USDC

Total HM: 2

Participants: 80

Period: 5 days

Judge: GalloDaSballo

Id: 168

League: ETH

Blur Exchange

Findings Distribution

Researcher Performance

Rank: 39/80

Findings: 1

Award: $114.82

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryBlur Exchange

Findings Information

🌟 Selected for report: dipp

Also found by: 0x4non, 0x52, 0xRobocop, 0xc0ffEE, 8olidity, Ch_301, Jeiwan, Junnon, KIntern_NA, Lambda, M4TZ1P, MiloTruck, Nyx, PaludoX0, Ruhum, RustyRabbit, Soosh, TomJ, Trust, arcoun, aviggiano, bardamu, cryptonue, csanuragjain, d3e4, enckrish, exd0tpy, hansfriese, jayphbee, joestakey, ladboy233, minhquanym, minhtrng, nicobevi, obront, polymorphism, rokinot, romand, rotcivegaf, rvierdiiev, saian, serial-coder, trustindistrust, zzykxx

Awards

114.8239 USDC - $114.82

Labels

bug
duplicate
3 (High Risk)

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-10-blur/blob/2fdaa6e13b544c8c11d1c022a575f16c3a72e3bf/contracts/matchingPolicies/StandardPolicyERC1155.sol#L33 https://github.com/code-423n4/2022-10-blur/blob/2fdaa6e13b544c8c11d1c022a575f16c3a72e3bf/contracts/matchingPolicies/StandardPolicyERC1155.sol#L59

Vulnerability details

Impact

StandardPolicyERC1155 will always passing 1 value of amount in execute function in BlurExchange.sol, even if seller order to sell 2 or more NFT. because of that seller will only transfer 1 NFT but buyer pay for 2 or more NFT. If this bug is realized by the seller, seller can exploit the contract that will make the buyer lose fund.

Proof of Concept

add this code below to execution.test.ts

    it('Sell 10 but only transfer 1', async () => {
      await mockERC1155.mint(alice.address, tokenId, 1);
      sell = generateOrder(alice, {
        side: Side.Sell,
        tokenId,
        amount: 10, // EDITED Alice will sell 10 NFT
        collection: mockERC1155.address,
        matchingPolicy: matchingPolicies.standardPolicyERC1155.address,
      });
      buy = generateOrder(bob, {
        side: Side.Buy,
        tokenId,
        amount: 10, // EDITED Bob will buy 10 NFT too
        collection: mockERC1155.address,
        matchingPolicy: matchingPolicies.standardPolicyERC1155.address,
      });
      sellInput = await sell.pack();
      buyInput = await buy.pack();


      await waitForTx(exchange.execute(sellInput, buyInput));

      // SAD bob will only receive 1 NFT
      expect(await mockERC1155.balanceOf(bob.address, tokenId)).to.be.equal(1);

      await checkBalances(
        aliceBalance,
        aliceBalanceWeth.add(priceMinusFee),
        bobBalance,
        bobBalanceWeth.sub(price),
        feeRecipientBalance,
        feeRecipientBalanceWeth.add(fee),
      );
    });

the test above will pass since Bob will only receive 1 NFT, Bob expected to receive 10 NFT from Alice, but instead he just receive 1 NFT and Alice take all the money.

Tools Used

VSCode

The reason why this bug available is because StandardPolicyERC1155 will always returning 1 value to amount. edit the code in StandardPolicyERC1155.sol (1 and 2 ) with this code below:

33       makerAsk.amount,

59       takerAsk.amount,

#0 - GalloDaSballo

2022-10-13T22:27:41Z

Dup of https://github.com/code-423n4/2022-10-blur-findings/issues/666

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter