Back to Norah's contests

Caviar Private Pools - Norah's results

A fully on-chain NFT AMM that allows you to trade every NFT in a collection.

General Information

Platform: Code4rena

Start Date: 07/04/2023

Pot Size: $47,000 USDC

Total HM: 20

Participants: 120

Period: 6 days

Judge: GalloDaSballo

Total Solo HM: 4

Id: 230

League: ETH

Caviar

Findings Distribution

Researcher Performance

Rank: 74/120

Findings: 1

Award: $26.76

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCaviar

Findings Information

🌟 Selected for report: ladboy233

Also found by: 0x4non, 0xTheC0der, ElKu, Emmanuel, JGcarv, Koolex, Norah, Noro, Ruhum, Voyvoda, chaduke, decade, giovannidisiena, minhtrng, nemveer, nobody2018, oxen, said, sashik_eth, sces60107, teddav, ulqiorra

Awards

26.761 USDC - $26.76

Labels

bug
3 (High Risk)
satisfactory
duplicate-184

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-04-caviar/blob/main/src/PrivatePool.sol#L459-L476

Vulnerability details

Detailed description of the impact of this finding.

Impact

Funds approved by users to be used by private pools for buying NFTs or provide fees incase of swapping NFT can be captured by the owner.

Proof of Concept

Consider following scenario :

  • Normal users have approved a private pool contract to use a certain amount of their base token to pay for the NFTs they want to buy from the pool.
  • Then they call the buy() function to buy the NFTs from the pool.
  • Now malicious owner of the pool can observe these two transaction on mempool, and place their following transaction between the two:
  • Owner calls execute function with target address of base tokens contract and signature of transferFrom function with parameters : -- Approved amount -- His own address
  • This way the Owner (Attacker) gets users' funds which were intended to buy the NFTs.
  • Also, Most of the time normal users would approve more than needed for a transaction for the sake of convenience. Often huge amounts.
  • In that case the owner (Attacker) won't even have to front run any users transaction, he/she can call execute any time later on as mentioned to steal the reaming apprpved funds from users funds.

Tools Used

Manual Analysis

  • The Execute function is there to protect the owner in certain cases, but it can be exploitable by the owner as mentioned.
  • Better way would be to provide an emergency function with limited access to the owner while also protecting her/his interest.

#0 - c4-pre-sort

2023-04-20T16:40:22Z

0xSorryNotSorry marked the issue as duplicate of #184

#1 - c4-judge

2023-05-01T08:20:48Z

GalloDaSballo marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter