Platform: Code4rena
Start Date: 08/11/2022
Pot Size: $60,500 USDC
Total HM: 6
Participants: 72
Period: 5 days
Judge: Picodes
Total Solo HM: 2
Id: 178
League: ETH
Rank: 68/72
Findings: 1
Award: $36.34
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: RaymondFam
Also found by: 0x1f8b, 0x52, 0xSmartContract, 0xc0ffEE, 0xhacksmithh, 8olidity, Awesome, BClabs, Bnke0x0, Chom, Deivitto, Hashlock, IllIllI, Josiah, KingNFT, Nyx, R2, ReyAdmirado, Rolezn, SamGMK, Sathish9098, SinceJuly, V_B, Vadis, Waze, a12jmx, adriro, ajtra, aphak5010, bearonbike, bin, brgltd, carlitox477, carrotsmuggler, cccz, ch0bu, chaduke, datapunk, delfin454000, erictee, fatherOfBlocks, fs0c, horsefacts, jayphbee, ktg, ladboy233, pashov, perseverancesuccess, rbserver, ret2basic, tnevler, zaskoh
36.3434 USDC - $36.34
The contract will receive assets from anybody.
https://github.com/code-423n4/2022-11-looksrare/blob/e3b2c053f722b0ca2dce3a3eb06f64859b8b7a6f/contracts/proxies/SeaportProxy.sol#L86 This code here is for refund ETH back to the user if fulfillAvailableAdvancedOrders failed, but there is no limitation that means anyone can transfer ETH to this contract.
Add the limitation for this function. receive() external payable { if (msg.sender != address(marketplace)) revert InvalidCaller(); }
#0 - Picodes
2022-11-21T15:39:19Z
Valid but why would someone transfer funds to this contract
#1 - c4-judge
2022-11-21T15:39:27Z
Picodes changed the severity to QA (Quality Assurance)
#2 - c4-sponsor
2022-11-22T23:09:05Z
0xhiroshi marked the issue as sponsor disputed
#3 - 0xhiroshi
2022-11-22T23:11:34Z
This is going to cost more gas during a refund for 0 benefits, we don't care if people randomly send ETH to the contract
#4 - c4-judge
2022-12-12T10:12:50Z
Picodes marked the issue as grade-b