Caviar Private Pools - oxen's results

A fully on-chain NFT AMM that allows you to trade every NFT in a collection.

General Information

Platform: Code4rena

Start Date: 07/04/2023

Pot Size: $47,000 USDC

Total HM: 20

Participants: 120

Period: 6 days

Judge: GalloDaSballo

Total Solo HM: 4

Id: 230

League: ETH

Caviar

Findings Distribution

Researcher Performance

Rank: 79/120

Findings: 1

Award: $26.76

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Caviar

Findings Information

🌟 Selected for report: ladboy233

Also found by: 0x4non, 0xTheC0der, ElKu, Emmanuel, JGcarv, Koolex, Norah, Noro, Ruhum, Voyvoda, chaduke, decade, giovannidisiena, minhtrng, nemveer, nobody2018, oxen, said, sashik_eth, sces60107, teddav, ulqiorra

Awards

26.761 USDC - $26.76

Labels

bug

3 (High Risk)

satisfactory

duplicate-184

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-04-caviar/blob/cd8a92667bcb6657f70657183769c244d04c015c/src/PrivatePool.sol#L459

Vulnerability details

Impact

Owner steals NFT/ERC depending on what the victim approved and intended to sell/buy/exchange to the PrivatePool.

Proof of Concept

Step 1: Victim sends approval of NFT/ERC20 for the PrivatePool
Step 2: Malicious Owner of PrivatePool listens to the Mempool and backruns the transaction

The transaction of "Step 2" would safeTransfer from the Victim to an attacker controlled address.

Note

Please note that this vulnerability has broader scope than the automated finding of M-1: Centralization Risk for trusted owners. Centralization risk would be the owner doing something with the funds of the pool. Not the owner doing something with funds that were intended to be exchanged for something.

Recommended Mitigation Steps

At the minimum the execute function should disallow calls to the baseToken (if ERC pool) and the NFT contract. Better would be to add a time delay on the execute function as some contracts have multiple entry points and simply disallowing calls to the ERC/NFT would not work.

#0 - c4-pre-sort
2023-04-20T16:40:29Z

0xSorryNotSorry marked the issue as duplicate of #184

#1 - c4-judge
2023-05-01T19:21:22Z

GalloDaSballo marked the issue as satisfactory

Caviar Private Pools - oxen's results

A fully on-chain NFT AMM that allows you to trade every NFT in a collection.

General Information

Findings Distribution

Researcher Performance

External Links

[H-02] Malicious Owner can back run approvals to steal - $26.76

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Note

Recommended Mitigation Steps

#0 - c4-pre-sort2023-04-20T16:40:29Z

#1 - c4-judge2023-05-01T19:21:22Z

#0 - c4-pre-sort
2023-04-20T16:40:29Z

#1 - c4-judge
2023-05-01T19:21:22Z