0age
commented
2 years ago confirmed partially, disputed other aspects
Closed code423n4 closed 2 years ago
0age
commented
2 years ago confirmed partially, disputed other aspects
d1ll0n
commented
2 years ago The example given on the wikipedia page of giving two leaves as (0-0 . 0-1) and (1-0 . 1-1) is impossible, as all parent nodes will be 64 bytes before being hashed and the contract will only accept 32 byte IDs as leaves. The only version of this that could work is providing the merkle root itself as a leaf with no proof, as reported in another issue.
Duplicating a leaf node also isn't an issue as it'd just allow you to prove the leaf twice, which has no effect given we don't update merkle roots.
0xleastwood
commented
2 years ago I believe the finding to be invalid because:
The actual issue highlighted by other wardens identifies a way for users to potentially resolve a merkle tree to a potentially valid tokenId by providing an intermediate issue. As there is no mention of this by the warden, I've decided to side with the sponsor.
Lines of code
https://github.com/code-423n4/2022-05-opensea-seaport/blob/main/contracts/lib/CriteriaResolution.sol#L241-L287
Vulnerability details
this implemenation is vulnerable to a second pre-image attack.
Also, this implementation is vulnerable to a forgery attack for an unbalanced tree, where the last leaf node can be duplicated to create an artificial balanced tree, resulting in the same Merkle root hash.
Tools Used
Manual Review
Recommended Mitigation Steps
1) Use a difference hashing function for leaves and nodes, so that H(x) != H'(x). 2) Do not accept unbalanced tree to prevent forgery attack