Blur Exchange contest - datapunk's results

Lines of code

https://github.com/code-423n4/2022-11-non-fungible/blob/323b7cbf607425dd81da96c0777c8b12e800305d/contracts/Exchange.sol#L219

Vulnerability details

Impact

_returnDust instead of returning the rightful remainingETH amount, it returns selfbalance(). If eth gets into the contract somehow, it can be swept by anyone, who passes in some eth through bulkExecute, even with empty executions parameter.

Proof of Concept

                let callStatus := call(
                    gas(),
                    caller(),
                    selfbalance(),
                    0,
                    0,
                    0,
                    0
                )

Tools Used

Recommended Mitigation Steps

Change it to

                let callStatus := call(
                    gas(),
                    caller(),
                    _remainingETH,
                    0,
                    0,
                    0,
                    0
                )

Also if leftover ETH is a concert, add an onwerOnly function for the owner to sweep remaining ETH.