Blur Exchange contest - simon135's results

An NFT exchange for the Blur marketplace.

General Information

Platform: Code4rena

Start Date: 05/10/2022

Pot Size: $50,000 USDC

Total HM: 2

Participants: 80

Period: 5 days

Judge: GalloDaSballo

Id: 168

League: ETH

Blur Exchange

Findings Distribution

Researcher Performance

Rank: 56/80

Findings: 1

Award: $50.48

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Blur Exchange

Findings Information

🌟 Selected for report: 0x4non

Also found by: 0x1f8b, 0xNazgul, 0xSmartContract, Deivitto, IllIllI, Lambda, RaymondFam, Rolezn, RustyRabbit, Trust, arcoun, bin2chen, brgltd, csanuragjain, d3e4, enckrish, exd0tpy, ladboy233, nicobevi, rbserver, rotcivegaf, simon135, zzykxx

Awards

50.4817 USDC - $50.48

Labels

bug

QA (Quality Assurance)

edited-by-warden

External Links

Link to GitHub issue

don’t use a static chainid because your vulnerable to replay attacks

If etherum forks that will be problem and can cause issues with static chainId

DOMAIN_SEPARATOR = _hashDomain(
EIP712Domain({
name: name,
version: version,
chainId: chainId,
verifyingContract: address(this)
})
);

https://github.com/code-423n4/2022-10-blur/blob/d1c22a94ed08b08fe3f7d5c96e973d80d3dc0e54/contracts/PolicyManager.sol#L37

owner can remove what every policys and cause users txs to revert

if an owner calls remove policys in the a block right before a users tx is exuecting it will cause the users to revert. make timelock and wait some time for owner to remove policys

   function removePolicy(address policy) external override onlyOwner {
        require(_whitelistedPolicies.contains(policy), "Not whitelisted");
        _whitelistedPolicies.remove(policy);

        emit PolicyRemoved(policy);
    }

https://github.com/code-423n4/2022-10-blur/blob/d1c22a94ed08b08fe3f7d5c96e973d80d3dc0e54/contracts/PolicyManager.sol#L37

small fees will be zero and not send money because of a small peression error

if price*feeds[i].rate <10,000 then the fee would be zero

uint256 fee = (price * fees[i].rate) / INVERSE_BASIS_POINT;
_transferTo(paymentToken, from, fees[i].recipient, fee);

The reason its low risk is because the price and fees most likely be under 10_000 https://github.com/code-423n4/2022-10-blur/blob/d1c22a94ed08b08fe3f7d5c96e973d80d3dc0e54/contracts/BlurExchange.sol#L477

if user suppies a lot of fees then there can be dos

there is no aggreement on fees and how much fees to take but it dosnt effect how much the buyer pays.

a malious fee recipent can make the call revert because of transfer works

don’t use .transfer it not good and it takes 2300 gas which can revert really easliy .transfer

payable(to).transfer(amount);

if the collection is different then the asset there can be loss of funds

or the collection is not eip complicance and dont use regular TransferFrom because the erc721 can be stuff if you use the wrong asset.

function _executeTokenTransfer(
address collection,
address from,
address to,
uint256 tokenId,
uint256 amount,
AssetType assetType
) internal {
/* Assert collection exists. */
require(_exists(collection), "Collection does not exist");
/* Call execution delegate. */
if (assetType == AssetType.ERC721) {
executionDelegate.transferERC721(collection, from, to, tokenId);
} else if (assetType == AssetType.ERC1155) {
executionDelegate.transferERC1155(
collection,
from,
to,
tokenId,
amount
);
}
}

if someone executes a trade and right before the seller increasing the nonce and makes the tx revert

I think this is an low issue but i think that is intended and its to bad that the exuctor wasted there gas but the seller/buyer didnt want to trade but it can make the seller/buyer malicious and cost a waste of txs.

#0 - GalloDaSballo
2022-10-24T00:01:58Z

don’t use a static chainid because your vulnerable to replay attacks

owner can remove what every policys and cause users txs to revert

I think L because ultimately no loss of value will happen

small fees will be zero and not send money because of a small peression error

if user suppies a lot of fees then there can be dos

a malious fee recipent can make the call revert because of transfer works

if the collection is different then the asset there can be loss of funds

if someone executes a trade and right before the seller increasing the nonce and makes the tx revert

Disagree as that's the purpose of the nonce

Need to improve spelling (just buy Grammarly tbh)

Unique report, very happy to see you progress!

Will have to remove a few points due to presentation but honestly am impressed

Blur Exchange contest - simon135's results

An NFT exchange for the Blur marketplace.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-18] QA Report - $50.48

Findings Information

Awards

Labels

External Links

don’t use a static chainid because your vulnerable to replay attacks

owner can remove what every policys and cause users txs to revert

small fees will be zero and not send money because of a small peression error

if user suppies a lot of fees then there can be dos

a malious fee recipent can make the call revert because of transfer works

if the collection is different then the asset there can be loss of funds

if someone executes a trade and right before the seller increasing the nonce and makes the tx revert

#0 - GalloDaSballo2022-10-24T00:01:58Z

don’t use a static chainid because your vulnerable to replay attacks

owner can remove what every policys and cause users txs to revert

small fees will be zero and not send money because of a small peression error

if user suppies a lot of fees then there can be dos

a malious fee recipent can make the call revert because of transfer works

if the collection is different then the asset there can be loss of funds

if someone executes a trade and right before the seller increasing the nonce and makes the tx revert

#1 - GalloDaSballo2022-10-24T00:02:04Z

#0 - GalloDaSballo
2022-10-24T00:01:58Z

#1 - GalloDaSballo
2022-10-24T00:02:04Z