Platform: Code4rena
Start Date: 08/11/2022
Pot Size: $60,500 USDC
Total HM: 6
Participants: 72
Period: 5 days
Judge: Picodes
Total Solo HM: 2
Id: 178
League: ETH
Rank: 39/72
Findings: 1
Award: $77.22
🌟 Selected for report: 0
🚀 Solo Findings: 0
77.2215 USDC - $77.22
https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/LooksRareAggregator.sol#L109
if some Ether is sent (erroneously or not) to the contract, anyone that calls correctly LooksRareAggregator.execute will be able to steal those coins.
to execute the function using ethers as payment, these conditions must be true:
if tokenTransfersLength == 0, originator will be set as msg.sender() aka the contract that is calling the function.
assuming the user can successfully execute an order through any proxy, at the end of the function there is the call:
_returnETHIfAny(originator);
this function is responsible to check if self balance > 0 and send the balance to recipient, which is, in this case, msg.sender
Prerequisite is that the LooksRareAggregator contract has received somehow some Ethers.
call execute() function without specify any tokenTransfer; assuming the call through proxy does not revert, the function will transfer the whole available balance to the address set as msg.sender.
VS Code
get contract's balance before and after the delegatecall, then finally reimburse up to the balance before the call.
#0 - c4-judge
2022-11-19T10:19:52Z
Picodes marked the issue as duplicate of #277
#1 - c4-judge
2022-12-16T14:01:10Z
Picodes changed the severity to 2 (Med Risk)
#2 - c4-judge
2022-12-16T14:01:11Z
Picodes marked the issue as satisfactory