Platform: Code4rena
Start Date: 08/11/2022
Pot Size: $60,500 USDC
Total HM: 6
Participants: 72
Period: 5 days
Judge: Picodes
Total Solo HM: 2
Id: 178
League: ETH
Rank: 69/72
Findings: 1
Award: $36.34
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: RaymondFam
Also found by: 0x1f8b, 0x52, 0xSmartContract, 0xc0ffEE, 0xhacksmithh, 8olidity, Awesome, BClabs, Bnke0x0, Chom, Deivitto, Hashlock, IllIllI, Josiah, KingNFT, Nyx, R2, ReyAdmirado, Rolezn, SamGMK, Sathish9098, SinceJuly, V_B, Vadis, Waze, a12jmx, adriro, ajtra, aphak5010, bearonbike, bin, brgltd, carlitox477, carrotsmuggler, cccz, ch0bu, chaduke, datapunk, delfin454000, erictee, fatherOfBlocks, fs0c, horsefacts, jayphbee, ktg, ladboy233, pashov, perseverancesuccess, rbserver, ret2basic, tnevler, zaskoh
36.3434 USDC - $36.34
##Impact
A malicious (or malfunctioning) proxy contract with the same or overlapping storage layout as LooksRareAggregator can manipulate the erc20EnabledLooksRareAggregator address and set a malicious address therefore able to steal users' erc20 funds as approval is granted.
The erc20EnabledLooksRareAggregator address is set as a state variable in LooksRareAggregator contract. There is no protection against it being changed by a proxy with the same storage layout.
Manual auditing
Save erc20EnabledLooksRareAggregator address in memory before delegatecall as this will not be affected
address erc20EnabledLooksRareAggregator_ = erc20EnabledLooksRareAggregator
Then check whether erc20EnabledLooksRareAggregator has not been changed after the external call
if( erc20EnabledLooksRareAggregator_ != erc20EnabledLooksRareAggregator) { revert() }
#0 - c4-judge
2022-11-19T10:29:51Z
Picodes marked the issue as duplicate of #125
#1 - c4-judge
2022-12-16T13:50:16Z
Picodes marked the issue as not a duplicate
#2 - c4-judge
2022-12-16T13:50:23Z
Picodes changed the severity to QA (Quality Assurance)
#3 - c4-judge
2022-12-16T13:50:47Z
Picodes marked the issue as grade-b