Platform: Code4rena
Start Date: 05/10/2022
Pot Size: $50,000 USDC
Total HM: 2
Participants: 80
Period: 5 days
Judge: GalloDaSballo
Id: 168
League: ETH
Rank: 35/80
Findings: 1
Award: $114.82
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: dipp
Also found by: 0x4non, 0x52, 0xRobocop, 0xc0ffEE, 8olidity, Ch_301, Jeiwan, Junnon, KIntern_NA, Lambda, M4TZ1P, MiloTruck, Nyx, PaludoX0, Ruhum, RustyRabbit, Soosh, TomJ, Trust, arcoun, aviggiano, bardamu, cryptonue, csanuragjain, d3e4, enckrish, exd0tpy, hansfriese, jayphbee, joestakey, ladboy233, minhquanym, minhtrng, nicobevi, obront, polymorphism, rokinot, romand, rotcivegaf, rvierdiiev, saian, serial-coder, trustindistrust, zzykxx
114.8239 USDC - $114.82
Due to the way StandardPolicyERC1155 is coded, users will only receive 1 ERC1155 token instead of the amount specified in their buy order.
In the StandardPolicyERC1155, contract, the functions canMatchMakerAsk() and canMatchMakerBid() return 1 as the amount to be transferred:
// Using canMatchMakerAsk() as an example 24: return ( 25: (makerAsk.side != takerBid.side) && 26: (makerAsk.paymentToken == takerBid.paymentToken) && 27: (makerAsk.collection == takerBid.collection) && 28: (makerAsk.tokenId == takerBid.tokenId) && 29: (makerAsk.matchingPolicy == takerBid.matchingPolicy) && 30: (makerAsk.price == takerBid.price), 31: makerAsk.price, 32: makerAsk.tokenId, 33: 1, // @audit This is the amount to be transferred in an order 34: AssetType.ERC1155 35: );
Thus, if StandardPolicyERC1155 is used as the matching policy for an ERC1155 order pair, only 1 ERC1155 token will be transferred to the buyer, regardless of the amount specified in the order. Attackers could abuse this by creating sell orders with a high amount, misleading buyers into thinking they are buying more than 1 ERC1155 token.
Furthermore, this goes against what is written in the README, which states amount works for ERC1155 tokens:
The responsibility of each policy is to assert the criteria for a valid match are met and return the parameters for proper execution -
price- matching pricetokenId- NFT token id to transferamount- (for erc1155) amount of the token to transferassetType- ERC721 or ERC1155
In StandardPolicyERC1155, check that amount is the same for both ask and bid orders, and return that instead.
#0 - blur-io-toad
2022-10-16T23:38:53Z
This was an oversight on my part for not putting this contract as out-of-scope. Our marketplace does not handle ERC1155 yet and so we haven't concluded what the matching critieria for those orders will be. This contract was mainly created to test ERC1155 transfers through the rest of the exchange, but shouldn't be deployed initially. When we are prepared to handle ERC1155 orders we will have to develop a new matching policy that determines the amount from the order parameters. Acknowledging that it's incorrect, but won't be making any changes as the contract won't be deployed.
#1 - trust1995
2022-10-28T00:00:28Z
Dup #711
#2 - GalloDaSballo
2022-10-28T00:06:56Z
#3 - trust1995
2022-10-28T00:15:36Z
I believe warden identified the issue in #711 . His recommended fix: In StandardPolicyERC1155, check that amount is the same for both ask and bid orders, and return that instead is much more similar to #711 than #666