Platform: Code4rena
Start Date: 05/10/2022
Pot Size: $50,000 USDC
Total HM: 2
Participants: 80
Period: 5 days
Judge: GalloDaSballo
Id: 168
League: ETH
Rank: 53/80
Findings: 1
Award: $114.82
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: dipp
Also found by: 0x4non, 0x52, 0xRobocop, 0xc0ffEE, 8olidity, Ch_301, Jeiwan, Junnon, KIntern_NA, Lambda, M4TZ1P, MiloTruck, Nyx, PaludoX0, Ruhum, RustyRabbit, Soosh, TomJ, Trust, arcoun, aviggiano, bardamu, cryptonue, csanuragjain, d3e4, enckrish, exd0tpy, hansfriese, jayphbee, joestakey, ladboy233, minhquanym, minhtrng, nicobevi, obront, polymorphism, rokinot, romand, rotcivegaf, rvierdiiev, saian, serial-coder, trustindistrust, zzykxx
114.8239 USDC - $114.82
https://github.com/code-423n4/2022-10-blur/blob/main/contracts/BlurExchange.sol#L425 https://github.com/code-423n4/2022-10-blur/blob/main/contracts/matchingPolicies/StandardPolicyERC1155.sol#L33 https://github.com/code-423n4/2022-10-blur/blob/main/contracts/BlurExchange.sol#L429 https://github.com/code-423n4/2022-10-blur/blob/main/contracts/matchingPolicies/StandardPolicyERC1155.sol#L59
For NFT token of type ERC1155, there may be multiple tokens with the same tokenId. Therefore, when processing orders of type ERC1155, it is necessary to check not only whether the tokenId of the NFT for both buyers and sellers are matched, but also the amounts that should be matched.
The canMatchMakerAsk() function and the canMatchMakerBid() function don't check whether the amount parameters in both orders are equal. It could lead to attacks where a buyer can obtain 2 or more tokens but pay for only 1 token.
Furthermore, the _canMatchOrders() function returns a constant value of 1 w.r.t. the amount return-value, which means that only one token under the specified tokenId can be transferred at a time, which is most likely different from what the function was designed to do. It could lead to attacks where a seller can sell only 1 token to a victim buyer but with a price equivalent to 2 or more tokens.
The function of canMatchMakerAsk() and canMatchMakerBid() should add amount checking and return the correct values.
The recommended changes are as follows.
function canMatchMakerAsk(Order calldata makerAsk, Order calldata takerBid) external pure override returns ( bool, uint256, uint256, uint256, AssetType ) { return ( (makerAsk.side != takerBid.side) && (makerAsk.paymentToken == takerBid.paymentToken) && (makerAsk.collection == takerBid.collection) && (makerAsk.tokenId == takerBid.tokenId) && (makerAsk.matchingPolicy == takerBid.matchingPolicy) && (makerAsk.price == takerBid.price) && (makerAsk.amount == takerBid.amount), //@audit add checking makerAsk.price, makerAsk.tokenId, makerAsk.amount, //@audit correct return value AssetType.ERC1155 ); } function canMatchMakerBid(Order calldata makerBid, Order calldata takerAsk) external pure override returns ( bool, uint256, uint256, uint256, AssetType ) { return ( (makerBid.side != takerAsk.side) && (makerBid.paymentToken == takerAsk.paymentToken) && (makerBid.collection == takerAsk.collection) && (makerBid.tokenId == takerAsk.tokenId) && (makerBid.matchingPolicy == takerAsk.matchingPolicy) && (makerBid.price == takerAsk.price) && (makerBid.amount == takerAsk.amount), //@audit add checking makerBid.price, makerBid.tokenId, makerBid.amount, //@audit correct return value AssetType.ERC1155 ); }
#0 - GalloDaSballo
2022-10-13T22:30:19Z