Closed code423n4 closed 2 years ago
This is already supported by using matchOrders
and setting the endTime on the fulfiller's order.
As the sponsor has noted, matchOrders
allows the fulfillers to be protected with a deadline by setting endTime
in their order.
To expand on this, Verifiers._verifyTime()
will check that block.timestamp
is within the bounds of startTime
and endTime
. If the pending tx is left unconfirmed for some amount of time, the user's order will expire, hence, this is a non-issue.
Lines of code
https://github.com/code-423n4/2022-05-opensea-seaport/blob/main/contracts/lib/Consideration.sol#L76 https://github.com/code-423n4/2022-05-opensea-seaport/blob/main/contracts/lib/Consideration.sol#L108
Vulnerability details
Impact
A fulfill transaction of order with descending/ascending amount should be protected by the deadline.
The price of an order with a descnding amount is sensitive to the time. Letting users make such a trade without providing the deadline would lead to unfavorable results. As opensea is facing different groups of users, developers should take one step further to protect users.
We consider the answer is yes to the above questions.
A possible scenario:
Proof of Concept
As stated above.
Tools Used
Manual inspection
Recommended Mitigation Steps
Recommend the team to add an optional
deadline
parameters infulfillOrder
,fulfillBasicOrder
fulfillAdvancedOrder
.