Platform: Code4rena
Start Date: 05/10/2022
Pot Size: $50,000 USDC
Total HM: 2
Participants: 80
Period: 5 days
Judge: GalloDaSballo
Id: 168
League: ETH
Rank: 25/80
Findings: 2
Award: $165.30
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: dipp
Also found by: 0x4non, 0x52, 0xRobocop, 0xc0ffEE, 8olidity, Ch_301, Jeiwan, Junnon, KIntern_NA, Lambda, M4TZ1P, MiloTruck, Nyx, PaludoX0, Ruhum, RustyRabbit, Soosh, TomJ, Trust, arcoun, aviggiano, bardamu, cryptonue, csanuragjain, d3e4, enckrish, exd0tpy, hansfriese, jayphbee, joestakey, ladboy233, minhquanym, minhtrng, nicobevi, obront, polymorphism, rokinot, romand, rotcivegaf, rvierdiiev, saian, serial-coder, trustindistrust, zzykxx
114.8239 USDC - $114.82
https://github.com/code-423n4/2022-10-blur/blob/main/contracts/matchingPolicies/StandardPolicyERC1155.sol#L33 https://github.com/code-423n4/2022-10-blur/blob/main/contracts/matchingPolicies/StandardPolicyERC1155.sol#L59
StandardPolicyERC1155 return amount 1 whatever order.amount is.
Buyer want to buy multiple amount but sent only 1.
There is amount parameter in order. This config amount of erc1155 token.
But StandardPolicyERC1155 always return amount 1.
This will lead to buyer loss.
VS Code
return order.amount at StandardPolicyERC1155
#0 - GalloDaSballo
2022-10-13T22:27:24Z
🌟 Selected for report: 0x4non
Also found by: 0x1f8b, 0xNazgul, 0xSmartContract, Deivitto, IllIllI, Lambda, RaymondFam, Rolezn, RustyRabbit, Trust, arcoun, bin2chen, brgltd, csanuragjain, d3e4, enckrish, exd0tpy, ladboy233, nicobevi, rbserver, rotcivegaf, simon135, zzykxx
50.4817 USDC - $50.48
There is some address _weth, _executionDelegate, _policyManager, _oracle need to be check zero address at BlurExchange.initialize()
sell.order.fee when match orders.return ( (makerAsk.side != takerBid.side) && (makerAsk.paymentToken == takerBid.paymentToken) && (makerAsk.collection == takerBid.collection) && (makerAsk.tokenId == takerBid.tokenId) && (makerAsk.matchingPolicy == takerBid.matchingPolicy) && (makerAsk.price == takerBid.price), makerAsk.price, makerAsk.tokenId, 1, AssetType.ERC721 );
There is no check logic makerAsk.fee and tackerBid.fee are same.
Just use sell.order.fee when _executeTokenTransfer() this could be triky.
executionDelegate.transferERC20 return value.https://github.com/code-423n4/2022-10-blur/blob/main/contracts/BlurExchange.sol#L511
Executiondelegate.transferERC20() has bool return value that transfer is success or not.
When transfer token at BlurExchange, this return value need to be checked.
https://github.com/code-423n4/2022-10-blur/blob/main/contracts/lib/EIP712.sol#L84-L110
Nonce is in hash order but if blur is deploy at different chain, this signed hash order could be re-use. So I recommand include chain id and contract address at hash message.
DOMAIN_SEPARATOR are not immutable. https://github.com/code-423n4/2021-11-malt-findings/issues/349
Constants should be written in UPPER_CASE, see Solidity naming conventions.
https://github.com/code-423n4/2022-10-blur/blob/main/contracts/BlurExchange.sol#L57-L58
When execute BlurExchange.initialize() isOpen is set 1.
This mean Exchange is now open, so need to emit Opened event.
https://github.com/code-423n4/2022-10-blur/blob/main/contracts/BlurExchange.sol#L104
sell.order.side != Side.SellThere is no revert message at require(sell.order.side == Side.Sell);.
https://github.com/code-423n4/2022-10-blur/blob/main/contracts/BlurExchange.sol#L134
When using solidity version >0.8.1 extcodesize can replace to [address].code.length
https://github.com/code-423n4/2022-10-blur/blob/main/contracts/BlurExchange.sol#L554-L556
#0 - GalloDaSballo
2022-10-23T20:02:53Z
L
L
TODO - M-01
This is a misunderstanding as the signature does check via DOMAIN_SEPARATOR Disagree per linked below https://github.com/code-423n4/2022-10-blur/blob/431d53c3fe4f1aa697f0f3466691232cde86749d/contracts/lib/EIP712.sol#
Don't think you have articulated this well so I'm not awarding it, please add details in your submissions, the report needs to stand on it's own
Disagree with specific instances
NC
NC
Overall genuine looking report
2L 2NC