search

code-423n4 / 2022-05-opensea-seaport-findings

1 stars 0 forks source link

QA Report #21

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

missing checks for zero address

description

Checking addresses against zero-address during initialization or during setting is a security best-practice. However, such checks are missing in the createConduit() function in ConduitController.sol

/2022-05-opensea-seaport/contracts/conduit/ConduitController.sol
94: _conduits[conduit].owner = initialOwner;

This is not consistant with the transferOwnership() function where it does check for address(0) 

/2022-05-opensea-seaport/contracts/conduit/ConduitController.sol
196:         // Ensure the new potential owner is not an invalid address.
197:         if (newPotentialOwner == address(0)) {
198:             revert NewPotentialOwnerIsZeroAddress(conduit);
199:         }

Impact: Allowing zero-addresses may lead to contract redeployments since createConduit() can only be called once.

Unspecific Compiler Version Pragma

description

Avoid floating pragmas for non-library contracts.

While floating pragmas make sense for libraries to allow them to be included with multiple different versions of applications, it may be a security risk for application implementations.

A known vulnerable compiler version may accidentally be selected or security tools might fall-back to an older compiler version ending up checking a different EVM compilation that is ultimately deployed on the blockchain.

It is recommended to pin to a concrete compiler version.

findings

/2022-05-opensea-seaport/contracts/conduit/Conduit.sol
2: pragma solidity >=0.8.7;

/2022-05-opensea-seaport/contracts/conduit/ConduitController.sol
2: pragma solidity >=0.8.7;

/2022-05-opensea-seaport/contracts/interfaces/AbridgedTokenInterfaces.sol
2: pragma solidity >=0.8.7;

/2022-05-opensea-seaport/contracts/interfaces/AmountDerivationErrors.sol
2: pragma solidity >=0.8.7;

/2022-05-opensea-seaport/contracts/interfaces/ConduitControllerInterface.sol
2: pragma solidity >=0.8.7;

/2022-05-opensea-seaport/contracts/interfaces/ConduitInterface.sol
2: pragma solidity >=0.8.7;

/2022-05-opensea-seaport/contracts/interfaces/ConsiderationEventsAndErrors.sol
2: pragma solidity >=0.8.7;

/2022-05-opensea-seaport/contracts/interfaces/ConsiderationInterface.sol
2: pragma solidity >=0.8.7;

/2022-05-opensea-seaport/contracts/interfaces/CriteriaResolutionErrors.sol
2: pragma solidity >=0.8.7;

/2022-05-opensea-seaport/contracts/interfaces/EIP1271Interface.sol
2: pragma solidity >=0.8.7;

/2022-05-opensea-seaport/contracts/interfaces/FulfillmentApplicationErrors.sol
2: pragma solidity >=0.8.7;

/2022-05-opensea-seaport/contracts/interfaces/ImmutableCreate2FactoryInterface.sol
2: pragma solidity >=0.8.7;

/2022-05-opensea-seaport/contracts/interfaces/ReentrancyErrors.sol
2: pragma solidity >=0.8.7;

/2022-05-opensea-seaport/contracts/interfaces/SeaportInterface.sol
2: pragma solidity >=0.8.7;

/2022-05-opensea-seaport/contracts/interfaces/SignatureVerificationErrors.sol
2: pragma solidity >=0.8.7;

/2022-05-opensea-seaport/contracts/interfaces/TokenTransferrerErrors.sol
2: pragma solidity >=0.8.7;

/2022-05-opensea-seaport/contracts/interfaces/ZoneInteractionErrors.sol
2: pragma solidity >=0.8.7;

/2022-05-opensea-seaport/contracts/interfaces/ZoneInterface.sol
2: pragma solidity >=0.8.7;
GalloDaSballo commented 2 years ago

missing checks for zero address

Valid Low per #56

GalloDaSballo commented 2 years ago

1 NC as well

1L 1NC