Back to pedroais's contests

Foundation contest - pedroais's results

Building the new creative economy

General Information

Platform: Code4rena

Start Date: 24/02/2022

Pot Size: $75,000 USDC

Total HM: 21

Participants: 28

Period: 7 days

Judge: alcueca

Total Solo HM: 15

Id: 94

League: ETH

Foundation

Findings Distribution

Researcher Performance

Rank: 16/28

Findings: 1

Award: $657.38

🌟 Selected for report: 1

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryFoundation

Findings Information

🌟 Selected for report: pedroais

Also found by: WatchPug, leastwood

Labels

bug
2 (Med Risk)
sponsor acknowledged

Awards

657.3838 USDC - $657.38

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-02-foundation/blob/4d8c8931baffae31c7506872bf1100e1598f2754/contracts/mixins/NFTMarketFees.sol#L40 https://github.com/code-423n4/2022-02-foundation/blob/4d8c8931baffae31c7506872bf1100e1598f2754/contracts/mixins/NFTMarketFees.sol#L188

Vulnerability details

Impact

A primary seller can circumvent the 15% fee and pay 5% as a secondary seller.

Context

The foundation protocol charges a 15% fee if the sale is a primary sale and 5% if it's a secondary sale. https://github.com/code-423n4/2022-02-foundation/blob/4d8c8931baffae31c7506872bf1100e1598f2754/contracts/mixins/NFTMarketFees.sol#L40

There are 2 conditions that must be met for a sale to be considered primary:

  1. The seller is one of the creators in the NFT metadata.
  2. It's the first time this NFT is sold on the foundation protocol.

https://github.com/code-423n4/2022-02-foundation/blob/4d8c8931baffae31c7506872bf1100e1598f2754/contracts/mixins/NFTMarketFees.sol#L188

Proof of Concept

Both of these conditions can be easily circumvented by the primary seller.

  1. He could transfer the NFT to a different wallet and sell it from there to break the first condition.

  2. He can make a private sale to himself for 1$ (paying the 15% fee on a dust amount) and then do a public auction with the real price.

With any of these 2 methods, the primary seller can circumvent the 15% fee and pay 5% as a secondary seller which makes the primary seller fee optional to pay.

#0 - HardlyDifficult

2022-03-02T20:52:27Z

Yes, this is possible. It's a good limitation to note and we should have it called out as a known issue / potential abuse path.

It's not clear how we could avoid this though while still keeping primary fees around - so I think all we can do is document it for now. This has been true since our launch a year ago and we are not aware of anyone abusing it yet. We think that's because NFT provenance is very important, so if it was being sold from a different account than the creator it's possible that would not get as much attention and potentially sell for less than they could have gotten accepting the primary sale fee.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter