Malicious offerers can easily create lots of invalid offers

[code423n4]

Lines of code

https://github.com/code-423n4/2022-05-opensea-seaport/blob/main/contracts/lib/Consideration.sol#L517

Vulnerability details

Impact

Creating an offer is pretty convenient in Seaport. Offerers don’t have to give the offered items to Seaport. They just need to make sure that when someone tries to fulfill their order, they already set the sufficient approvals.

However, this convenience may cause serious problems. Malicious offerers can easily produce lots of invalid offers since they don’t actually need to own the sufficient tokens. These invalid offers can be put on any marketplace based on Seaport. It could ruin the marketplace.

For example, Bob wants a specific NFT token. He goes to a marketplace based on Seaport to seek a good order. However, Alice created lots of orders that use the NFT token Bob wants as the offered item. Those invalid orders will waste Bob’s time and gas. It is hard for Bob to tell the difference between valid orders and invalid orders. Bob may lose his faith in the marketplace based on Seaport.

Proof of Concept

• Alice creates 100 orders for NFT token N1, But she doesn't actually own N1.
• Alice put these orders to a Marketplace based on Seaport.
• Tom also creates an order for N1, But he actually own N1.
• Tom also put the order to the same marketplace
• Bob wants N1, so he goes to the marketplace.
• Bob cannot tell which order is valid, getOrderStatus() will tell him that all of them are valid.
• Bob needs to try every order until he finds the valid one. It would waste Bob's time and gas.

Tools Used

None

Recommended Mitigation Steps

If getOrderStatus() can also check the approval of offered items, this vulnerability can be easily fixed.

[0age]

This is patently incorrect; yes, an order without sufficient approvals or balance is not currently fulfillable but the order itself is still valid (indeed, the "hidden listings" issue that OpenSea recently faced was due to this very thing).

Marketplaces should check approvals and balances and reject orders that do not also have sufficient allowance / balances, but Seaport still recognizes the orders as valid until they are explicitly cancelled or have their nonce incremented as they could become active in the future.

[HardlyDifficult]

This concern is inherit to any marketplace which does not escrow assets. An order may be created and is valid even if the seller had never owned the asset being offered. It could not be filled in that state of course because any attempt to make the necessary transfers would fail. However if the seller were to later acquire the asset and grant the necessary approval, then the order they had originally created is then fillable.

As the sponsor points out, it's up to the marketplace or website to manage how offers are surfaced to users in order to create a good experience.

Additionally no gas is required to check if an offer found is both a valid offer and currently fulfillable.