code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-05-opensea-seaport/blob/4140473b1f85d0df602548ad260b1739ddd734a5/reference/lib/ReferenceOrderValidator.sol#L316-L353

Vulnerability details

Impact

The _validate function will call the _verifyOrderStatus function. When orderStatus.isCancelled == true, the canceled order cannot be set as valid.

    function _verifyOrderStatus(
        bytes32 orderHash,
        OrderStatus memory orderStatus,
        bool onlyAllowUnused,
        bool revertOnInvalid
    ) internal pure returns (bool valid) {
        // Ensure that the order has not been cancelled.
        if (orderStatus.isCancelled) {
            // Only revert if revertOnInvalid has been supplied as true.
            if (revertOnInvalid) {
                revert OrderIsCancelled(orderHash);
            }

            // Return false as the order status is invalid.
            return false;
        }

This is not a good implementation, the offerer should have the right to validate a cancelled order.

Proof of Concept

https://github.com/code-423n4/2022-05-opensea-seaport/blob/4140473b1f85d0df602548ad260b1739ddd734a5/reference/lib/ReferenceOrderValidator.sol#L316-L353 https://github.com/code-423n4/2022-05-opensea-seaport/blob/4140473b1f85d0df602548ad260b1739ddd734a5/contracts/lib/Verifiers.sol#L102-L117

Tools Used

None

Recommended Mitigation Steps

Uncall the _verifyOrderStatus function in the _validate function.

0age commented 2 years ago

This is wrong, cancelled orders must remain cancelled under all circumstances. Offerers that want to "revalidate" a cancelled order should just create a new order (can even be an identical order, just with a different salt — that's the primary purpose of the salt value)

HardlyDifficult commented 2 years ago

Creating a new order using a different salt is a reasonable way to revalidate a previously canceled order.

code-423n4 / 2022-05-opensea-seaport-findings