liveactionllama
commented
2 years ago Warden reached out via C4 help request on May 31st and asked that the original embed link they included in their submission be replaced (in both instances within this submission) with a secret gist link they've provided. I've updated the submission accordingly.
0age
HardlyDifficult
Lines of code
https://gist.github.com/9878d3df636caa8565dcdf179ac44dae.git
Vulnerability details
Impact
In the partial fill orderStatus calculation, there could be an overflow in the numerator and denominator calculation. This overflow could lead a buyer to buy more NFT/Other tokens than order amount.
First example of impact: An NFT seller has two orders: order 1 -> 1 NFT in the price of 30$(USDC) order 2 -> 4 NFT in the price of 100$(USDC). Which can be partial filled.
After generating the orders, the seller approves all 5 NFT to seaport contract. With the vulnerability a buyer could overflow the numerator and denominator calculation. And with that buy 5 NFT from the second order. Which means he can buy all the 5 NFT in 125$ instead of 130$
Second example of impact: An NFT seller has two orders: order 1 -> 2 NFT of type 1 for 20$(USDC). Which can be partial filled. order 2 -> 2 NFT of type 1 and 2 NFT of type 2 for 40$(USDC). which cannot be partial filled.
After generating the orders, the seller approves all 6 NFT( 4 of type 1, and 2 of type 2) to seaport contract. With the vulnerability a buyer could buy NFT of type 1 four times from order 1. And then order 2 will not be valid anymore, Because the seller with "lose" all 4 NFT of type 1.
Proof of Concept
The main Bug is in the reduction to uint120 of numerator and denominator. The casting could reduce numerator and denominator too 0. And then the buyer can use the order again and again. Until the seller has no more NFT approved for Seaport.
An example of an overflow is with the parameters: 2^58/2^59 for the first order. 2^60/2^61 for the second order. This number are equal to buying 1/2 of the order. Which is very likely in partial fill. But after the two orders, the numerator and denominator will be equal to 0. Therefore the buyer will be able to buy again.
The POC is in the gist link - https://gist.github.com/9878d3df636caa8565dcdf179ac44dae.git The bug is in lines 201-204.
Tools Used
Vscode github Etherscan
Recommended Mitigation Steps
Revert on overflow when fillednumerator + numerator >= 2^120. Revert on overflow when denominator >= 2^120.
I think the order should include the denominator of the partial filles. And then every partial fill should have a denominator with that value. This would make the entire process a lot more easy.