LooksRare Aggregator contest - gz627's results

Lines of code

https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/LooksRareAggregator.sol#L109 https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/lowLevelCallers/LowLevelETH.sol#L43-L49 https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/lowLevelCallers/LowLevelETH.sol#L32-L38

Vulnerability details

Impact

If a user purchases NFTs with ETH (or ETH and ERC20 tokens) but with limited gas fees, it is possible that all purchase transactions are successful and have some ETH (or ETH and ERC20 tokens) left. The left ETH may be trapped inside the contract and the user suffers a loss.

Proof of Concept

1. A user purchases some NTFs with ETH (or ETH and ERC20 tokens) but with limited gass fees.
2. Purchases are successful and enter the refund stage LooksRareAggregator.sol#L108-L109.
3. ERC20 tokens will be correctly refunded (if any error occurs, all transactions will be reverted. This is correct.)
4. However, it is possible that ETH will be trapped inside the contract if the leftover gas is not enough to pay for the refund transaction. The ETH refund process does not check the status: LooksRareAggregator.sol#L109 LowLevelETH.sol#L43-L49. If ETH refund fails, it does not revert, which leaves ETH trapped inside the contract.

Tools Used

Manual audit.

Recommended Mitigation Steps

1. Add a status return in the refund functions LowLevelETH.sol#L43-L49 and LowLevelETH.sol#L32-L38.
2. Check the ETH refund status. If refund fails, either revert or execute a function that can successfully refund the ETH or refund in a later stage.