Platform: Code4rena
Start Date: 05/01/2023
Pot Size: $90,500 USDC
Total HM: 55
Participants: 103
Period: 14 days
Judge: Picodes
Total Solo HM: 18
Id: 202
League: ETH
Rank: 54/103
Findings: 2
Award: $137.49
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Lirios
Also found by: 0xcm, 0xsomeone, HE1M, Jeiwan, Koolex, bin2chen, c7e7eff, cergyk, dragotanqueray, evan, ladboy233, synackrst, unforgiven, wallstreetvilkas
33.2422 USDC - $33.24
https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/ClearingHouse.sol#L169-L178 https://github.com/code-423n4/2023-01-astaria/blob/1bfc58b42109b839528ab1c21dc9803d663df898/src/ClearingHouse.sol#L123
ClearingHouse implements the ERC1155 safeTransferFrom hook for seaport to call when it resolves considerations. Only it does not check that the call comes from seaport. A malicious user can call this function encoding the settlement token of their choice and redeem the underlying NFT, providing that an auction is taking place for it (checked in Collateral.settleAuction)
Links provided in relevant section
Manual review
Should either check that initiator is seaport, or that settlement token is the one required by the auction.
#0 - c4-judge
2023-01-24T07:48:35Z
Picodes marked the issue as duplicate of #564
#1 - c4-judge
2023-02-15T07:31:55Z
Picodes marked the issue as satisfactory
#2 - c4-judge
2023-02-23T21:03:28Z
Picodes changed the severity to QA (Quality Assurance)
#3 - c4-judge
2023-02-24T10:37:08Z
This previously downgraded issue has been upgraded by Picodes
#4 - c4-judge
2023-02-24T10:39:35Z
Picodes marked the issue as not a duplicate
#5 - c4-judge
2023-02-24T10:40:39Z
Picodes marked the issue as duplicate of #521
🌟 Selected for report: csanuragjain
Also found by: 7siech, KIntern_NA, Koolex, bin2chen, cergyk, evan, obront, unforgiven
104.2518 USDC - $104.25
Since any vault can issue a lien to any collateralId (using the case receiver == holder), a malicious vault owner can lock any collateralId not having liens by issuing a malicious lien.
Here is the detailed scenario:
An innocent user A deposits their NFT in the CollateralToken contract, mints a token with id collateralId.
If user A did not commit to any lien yet, malicious user B creates a public vault, and issues a lien to A for collateralId, denominated in a ERC20 token controlled by B.
B locks the transfer function on their ERC20 token, until auction, during which B is the only one to be able to transfer the ERC20, and thus obtaining the right to claim the collateral.
Manual review
The condition for validity should be (always checking msg.sender):
if ( (msg.sender != holder) && (msg.sender != operator) && !CT.isApprovedForAll(holder, msg.sender) )
#0 - c4-judge
2023-01-24T10:25:09Z
Picodes marked the issue as duplicate of #565
#1 - c4-judge
2023-02-15T07:04:25Z
Picodes marked the issue as satisfactory
#2 - c4-judge
2023-02-15T07:18:02Z
Picodes changed the severity to QA (Quality Assurance)
#3 - c4-judge
2023-02-15T07:22:03Z
This previously downgraded issue has been upgraded by Picodes
#4 - c4-judge
2023-02-15T07:31:02Z
Picodes marked the issue as not a duplicate
#5 - c4-judge
2023-02-15T07:31:11Z
Picodes marked the issue as duplicate of #19