Platform: Code4rena
Start Date: 08/11/2022
Pot Size: $60,500 USDC
Total HM: 6
Participants: 72
Period: 5 days
Judge: Picodes
Total Solo HM: 2
Id: 178
League: ETH
Rank: 34/72
Findings: 2
Award: $113.56
🌟 Selected for report: 0
🚀 Solo Findings: 0
77.2215 USDC - $77.22
https://github.com/code-423n4/2022-11-looksrare/blob/e3b2c053f722b0ca2dce3a3eb06f64859b8b7a6f/contracts/LooksRareAggregator.sol#L108 https://github.com/code-423n4/2022-11-looksrare/blob/e3b2c053f722b0ca2dce3a3eb06f64859b8b7a6f/contracts/LooksRareAggregator.sol#L109 https://github.com/code-423n4/2022-11-looksrare/blob/e3b2c053f722b0ca2dce3a3eb06f64859b8b7a6f/contracts/LooksRareAggregator.sol#L244 https://github.com/code-423n4/2022-11-looksrare/blob/f4c90ca149f4aeeac125605a56166297b717201a/contracts/lowLevelCallers/LowLevelETH.sol#L46
To calculate change (not used tokens/ETH) you are checking entire contract balance, and not checking if contract balance was not empty at transactions start
LooksRareAggregator.ERC20EnabledLooksRareAggregator)._returnERC20TokensIfAny() you are checking balance:
uint256 balance = IERC20(tokenTransfers[i].currency).balanceOf(address(this)).
And balance = 100 so Bob will receive 100 A tokensvs code
Check balance before sending Bob's tokens and after trade. And send to Bob only difference
#0 - c4-judge
2022-11-19T10:21:12Z
Picodes marked the issue as duplicate of #277
#1 - c4-judge
2022-12-16T13:58:10Z
Picodes changed the severity to 2 (Med Risk)
#2 - c4-judge
2022-12-16T13:58:11Z
Picodes marked the issue as satisfactory
🌟 Selected for report: RaymondFam
Also found by: 0x1f8b, 0x52, 0xSmartContract, 0xc0ffEE, 0xhacksmithh, 8olidity, Awesome, BClabs, Bnke0x0, Chom, Deivitto, Hashlock, IllIllI, Josiah, KingNFT, Nyx, R2, ReyAdmirado, Rolezn, SamGMK, Sathish9098, SinceJuly, V_B, Vadis, Waze, a12jmx, adriro, ajtra, aphak5010, bearonbike, bin, brgltd, carlitox477, carrotsmuggler, cccz, ch0bu, chaduke, datapunk, delfin454000, erictee, fatherOfBlocks, fs0c, horsefacts, jayphbee, ktg, ladboy233, pashov, perseverancesuccess, rbserver, ret2basic, tnevler, zaskoh
36.3434 USDC - $36.34
Before calling marketplace.fulfillAvailableAdvancedOrders() you should approve tokens using in advancedOrders
But you haven't approval calls inside execute() function
You have dedicated function LooksRareAggregator.approve() but you have to call it for all tokens for unlimited count
It's not safe, because marketplace may be hacked
And if you hadn't call LooksRareAggregator.approve() for some token, it will be impossible to use that token for transactions
No approve()calls: https://github.com/code-423n4/2022-11-looksrare/blob/e3b2c053f722b0ca2dce3a3eb06f64859b8b7a6f/contracts/proxies/SeaportProxy.sol#L116
vs code
Before calling marketplace.fulfillAvailableAdvancedOrders() call IERC20(token).approve() for each token using in advancedOrders
#0 - Picodes
2022-11-19T11:38:15Z
#1 - c4-judge
2022-11-19T11:38:33Z
Picodes changed the severity to QA (Quality Assurance)
#2 - c4-sponsor
2022-11-23T17:59:50Z
0xhiroshi marked the issue as sponsor disputed
#3 - 0xhiroshi
2022-11-23T18:00:00Z
Invalid
#4 - c4-judge
2022-12-11T13:32:44Z
Picodes marked the issue as grade-b