Closed code423n4 closed 2 years ago
This is a known limitation, but also adds a good deal of overhead to validate each ETH / ERC20 item (particularly for something that is ignored). We intend to reject orders that try to set any of these fields to non-zero values, and are working with wallets to improve the display of orders as well.
This is not a vulnerability per se, but can be dangerously misleading for users. Lowering to a Low severity and grouping with the warden's QA report #203
Lines of code
https://github.com/code-423n4/2022-05-opensea-seaport/blob/main/contracts/lib/Executor.sol#L63 https://github.com/code-423n4/2022-05-opensea-seaport/blob/main/contracts/lib/Executor.sol#L66 https://github.com/code-423n4/2022-05-opensea-seaport/blob/main/contracts/lib/Consideration.sol#L215 https://github.com/code-423n4/2022-05-opensea-seaport/blob/main/contracts/lib/Consideration.sol#L300
Vulnerability details
Impact
These structs are used through
Consideration.fulfillAvailableOrders()
andConsideration.fulfillAvailableAdvancedOrders()
:These two structures are used to convey Ether/ERC-20/ERC-721/ERC-1155 transfers, however not all fields are always used:
token
andidentifier
is not used and remain unchecked and can contain anythingidentifier
is unused and uncheckedWhile this problem does not impact transfers, it can certainly impact the display of these order details to the user. A user may be mislead to think a transfer is about a ERC-721 token, but in reality they will receive an ERC-20. Since OpenSea users have a history of facing "phishing" attacks, we think a medium severity for this is appropriate.
This lack of checking is present in multiple places.
Real world impact example
As an example one could create an order transferring 1 Ether to look like it transfers 1 BAYC (or any other popular NFT). The transaction data would only differ in a single byte. While good data inspection tools are lacking on the wallet side, users are mostly familiar with at least spotting token addresses and
tokenId
s, and so could verify that it "looks like" the correct thing, but miss the single byte difference, which is theItemType
specific to Seaport.Proof of Concept
Context: Executor.sol#L63, Executor.sol#L66, Consideration.sol#L215, Consideration.sol#L300
Running
Tools Used
Manual review
Recommended Mitigation Steps
Insert checks that these unused fields are
0
.