QA Report - Githubissues

code423n4 commented 2 years ago

Missing access control

BasicOrderFulfiller is used as a logging aggregator within the entire dapp, but anyone can create logs.


            log3(
                // Supply the pointer for event data in memory.
                eventDataPtr,
                // Supply the size of event data in memory.
                dataSize,
                // Supply the OrderFulfilled event signature.
                OrderFulfilled_selector,
                // Supply the first topic (the offerer).
                calldataload(BasicOrder_offerer_cdPtr),
                // Supply the second topic (the zone).
                calldataload(BasicOrder_zone_cdPtr)
            )

            // Restore the zero slot.
            mstore(ZeroSlot, 0)
        }

        // Determine whether order is restricted and, if so, that it is valid.
        _assertRestrictedBasicOrderValidity(
            orderHash,
            parameters.zoneHash,
            orderType,
            parameters.offerer,
            parameters.zone
        );

        // Verify and update the status of the derived order.
        _validateBasicOrderAndUpdateStatus(
            orderHash,
            parameters.offerer,
            parameters.signature
        );
    }

0xleastwood commented 2 years ago

I believe this issue to be of low-quality, hence, I will mark it as invalid.

GalloDaSballo commented 1 year ago

Lacking POC, also function is internal. In lack of more detail I agree with judge

code-423n4 / 2022-05-opensea-seaport-findings

QA Report #179