Closed code423n4 closed 2 years ago
This is an interesting finding, but ultimately can be remediated by simply clarifying that this is possible and clarifying that fulfillers should not provide a partial fill fraction above what they actually want to receive back, regardless of the fill fraction.
Grouping with the warden's QA report https://github.com/code-423n4/2022-05-opensea-seaport-findings/issues/150
Lines of code
https://github.com/code-423n4/2022-05-opensea-seaport/blob/main/contracts/lib/Assertions.sol#L58-L63
Vulnerability details
Impact
The seaport contract retrieves the nonce of order by fetching the offerer's current nonce. Assertions.sol#L58-L63 The transaction sender may land on a different offer if the offerer front-run the fulfill transaction and increment the nonce.
The attack scenario:
Proof of Concept
Tools Used
Manual inspection
Recommended Mitigation Steps
Since the same order parameters may lead to a different order state, it's necessary to provide the order nonce in a transaction. Verifying whether the order's nonce is the latest one would be safe enough.