Platform: Code4rena
Start Date: 07/04/2023
Pot Size: $47,000 USDC
Total HM: 20
Participants: 120
Period: 6 days
Judge: GalloDaSballo
Total Solo HM: 4
Id: 230
League: ETH
Rank: 73/120
Findings: 1
Award: $26.76
π Selected for report: 0
π Solo Findings: 0
26.761 USDC - $26.76
https://github.com/code-423n4/2023-04-caviar/blob/main/src/EthRouter.sol#L166 https://github.com/code-423n4/2023-04-caviar/blob/main/src/EthRouter.sol#L244 https://github.com/code-423n4/2023-04-caviar/blob/main/src/EthRouter.sol#L270
EthRouter calls ERC721(nft).setApprovalForAll in many functions. It gives the full approval of NFT to the pools. An attacker can make EthRouter give the full approval of NFTs to a malicious pool address by passing the fake pool address to those functions.
Many functions in EthRouter call ERC721(nft).setApprovalForAll to set the full approval of NFT to the pool. deposit() is one of them.
https://github.com/code-423n4/2023-04-caviar/blob/main/src/EthRouter.sol#L244
function deposit( address payable privatePool, address nft, uint256[] calldata tokenIds, uint256 minPrice, uint256 maxPrice, uint256 deadline ) public payable { β¦ // approve pair to transfer NFTs from router ERC721(nft).setApprovalForAll(privatePool, true); β¦ }
An attacker can call EthRouter.deposit() with a malicious pool address and any NFT address. Then the malicious pool has the full control of those NFTs on EthRouter
Manual Review
Do not use setApprovalForAll if the private pool address isnβt fully-trusted. Use approve for each NFT token.
#0 - c4-pre-sort
2023-04-20T16:40:43Z
0xSorryNotSorry marked the issue as duplicate of #184
#1 - c4-judge
2023-05-01T19:21:21Z
GalloDaSballo marked the issue as satisfactory