Closed code423n4 closed 2 years ago
This is wrong, cancelled orders must remain cancelled under all circumstances. Offerers that want to "revalidate" a cancelled order should just create a new order (can even be an identical order, just with a different salt — that's the primary purpose of the salt value)
Creating a new order using a different salt is a reasonable way to revalidate a previously canceled order.
Lines of code
https://github.com/code-423n4/2022-05-opensea-seaport/blob/4140473b1f85d0df602548ad260b1739ddd734a5/reference/lib/ReferenceOrderValidator.sol#L316-L353
Vulnerability details
Impact
The _validate function will call the _verifyOrderStatus function. When orderStatus.isCancelled == true, the canceled order cannot be set as valid.
This is not a good implementation, the offerer should have the right to validate a cancelled order.
Proof of Concept
https://github.com/code-423n4/2022-05-opensea-seaport/blob/4140473b1f85d0df602548ad260b1739ddd734a5/reference/lib/ReferenceOrderValidator.sol#L316-L353 https://github.com/code-423n4/2022-05-opensea-seaport/blob/4140473b1f85d0df602548ad260b1739ddd734a5/contracts/lib/Verifiers.sol#L102-L117
Tools Used
None
Recommended Mitigation Steps
Uncall the _verifyOrderStatus function in the _validate function.