Platform: Code4rena
Start Date: 08/11/2022
Pot Size: $60,500 USDC
Total HM: 6
Participants: 72
Period: 5 days
Judge: Picodes
Total Solo HM: 2
Id: 178
League: ETH
Rank: 40/72
Findings: 1
Award: $77.22
🌟 Selected for report: 0
🚀 Solo Findings: 0
77.2215 USDC - $77.22
Any user can execute a trade on the aggregator to collect trapped tokens. Which should be an action only allowed by the owner.
The issue is in how _returnERC20TokensIfAny gets the amount to send back by checking the balances of the contract.
We can easily prove this attack by going to SeaportProxyERC721USDCTest and dealing $1m USDC to the aggregator beforehand.
deal(USDC, address(aggregator), 1_000_000e6);
By running the test
FOUNDRY_PROFILE=local forge test --match-contract SeaportProxyERC721USDCTest -vv
we get
[FAIL. Reason: Assertion failed.] testExecuteWithFeesAtomic() (gas: 819972) Logs: Error: a == b not satisfied [uint] Expected: 13125000000 Actual: 1013125000000
showing that the balance of the buyer was increased by $1m
forge
computing the diff between the balance before and after the trade
#0 - c4-judge
2022-11-21T08:33:37Z
Picodes marked the issue as duplicate of #277
#1 - c4-judge
2022-12-16T14:01:38Z
Picodes marked the issue as satisfactory