Back to hansfriese's contests

Blur Exchange contest - hansfriese's results

An NFT exchange for the Blur marketplace.

General Information

Platform: Code4rena

Start Date: 05/10/2022

Pot Size: $50,000 USDC

Total HM: 2

Participants: 80

Period: 5 days

Judge: GalloDaSballo

Id: 168

League: ETH

Blur Exchange

Findings Distribution

Researcher Performance

Rank: 34/80

Findings: 1

Award: $114.82

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryBlur Exchange

Findings Information

🌟 Selected for report: dipp

Also found by: 0x4non, 0x52, 0xRobocop, 0xc0ffEE, 8olidity, Ch_301, Jeiwan, Junnon, KIntern_NA, Lambda, M4TZ1P, MiloTruck, Nyx, PaludoX0, Ruhum, RustyRabbit, Soosh, TomJ, Trust, arcoun, aviggiano, bardamu, cryptonue, csanuragjain, d3e4, enckrish, exd0tpy, hansfriese, jayphbee, joestakey, ladboy233, minhquanym, minhtrng, nicobevi, obront, polymorphism, rokinot, romand, rotcivegaf, rvierdiiev, saian, serial-coder, trustindistrust, zzykxx

Awards

114.8239 USDC - $114.82

Labels

bug
duplicate
3 (High Risk)

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-10-blur/blob/2fdaa6e13b544c8c11d1c022a575f16c3a72e3bf/contracts/matchingPolicies/StandardPolicyERC1155.sol#L12-L62

Vulnerability details

Impact

StandardPolicyERC1155.sol doesn't validate the order.amount properly.

This contract is used to check a policy for matching orders of ERC1155 tokens.

But it doesn't check the amount of ERC1155 token properly and traders might lose their funds unexpectedly.

Proof of Concept

As we can see here, order.amount can be greater than 1 for ERC1155 tokens.

But canMatchMakerAsk and canMatchMakerBid don't validate the amounts of buy/sell orders at all and return just 1 as an amount.

So the below scenario is possible.

  • A user Alice created a buy order tokenId = ERC1155 tokenId, amount = 10, price = 1 ETH
  • After noticing that, Bob created a sell order with the same ERC1155 token with amount = 10, price = 1 ETH
  • And Bob executed the orders successfully using execute()
  • While checking the policy here, the amount will be 1 always because the functions in StandardPolicyERC1155.sol return 1 here and here.
  • So Alice will get 1 ERC1155 token for 1 ETH although she wanted to buy 10 tokens for 1 ETH.

Tools Used

Solidity Visual Developer of VSCode

We should validate the amount properly and return the correct value with canMatchMakerAsk() and canMatchMakerBid().

function canMatchMakerAsk(Order calldata makerAsk, Order calldata takerBid)
    external
    pure
    override
    returns (
        bool,
        uint256,
        uint256,
        uint256,
        AssetType
    )
{
    return (
        (makerAsk.side != takerBid.side) &&
        (makerAsk.paymentToken == takerBid.paymentToken) &&
        (makerAsk.collection == takerBid.collection) &&
        (makerAsk.tokenId == takerBid.tokenId) &&
        (makerAsk.matchingPolicy == takerBid.matchingPolicy) &&
        (makerAsk.price == takerBid.price) &&
        (makerAsk.amount == takerBid.amount), //++++++++++++++++++++++
        makerAsk.price,
        makerAsk.tokenId,
        makerAsk.amount, //+++++++++++++++++++++++++
        AssetType.ERC1155
    );
}

#0 - GalloDaSballo

2022-10-13T22:27:29Z

Dup of https://github.com/code-423n4/2022-10-blur-findings/issues/666

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter