Closed code423n4 closed 2 years ago
The warden has identified an edge case which is incorrectly handled by the _aggregateValidFulfillmentOfferItems()
and _aggregateValidFulfillmentConsiderationItems()
functions. As such, these functions may accept an invalid input as it fails to revert even though an error is present. I do not believe funds are at risk, however, users may unintentionally fulfill an order with invalid inputs. This order fulfillment is likely to always revert due to an overflow/zero amount input. As a result, this would impact the protocol's overall user experience and for that reason, I think medium
severity is justified.
Great find!
Lines of code
https://github.com/ProjectOpenSea/seaport/blob/49799ce156d979132c9924a739ae45a38b39ecdd/contracts/lib/FulfillmentApplier.sol#L274 https://github.com/ProjectOpenSea/seaport/blob/49799ce156d979132c9924a739ae45a38b39ecdd/contracts/lib/FulfillmentApplier.sol#L571 https://github.com/ProjectOpenSea/seaport/blob/49799ce156d979132c9924a739ae45a38b39ecdd/contracts/lib/FulfillmentApplier.sol#L746-L756 https://github.com/ProjectOpenSea/seaport/blob/49799ce156d979132c9924a739ae45a38b39ecdd/contracts/lib/FulfillmentApplier.sol#L465-L476
Vulnerability details
Value Overflow in
FulfillmentApplier.sol
Repo commit referenced:
49799ce156d979132c9924a739ae45a38b39ecdd
Impact
In
_aggregateValidFulfillmentOfferItems
(Line 274) and_aggregateValidFulfillmentConsiderationItems
(Line 571) a variableerrorBuffer
has been defined asand later on in a for loop this value keeps getting updated:
Unlike what the comment describes in the code block above, the value of
errorBuffer
can also be 3 when we haveKeeping that in mind, at the end of each function, we have a check for the value of
errorBuffer
and depending on if it is 1 or 2, we will throw an error:So the case when
errorBuffer
is 3, is not catched.Proof of Concept
Here is a POC as a hardhat test which can be incorporated in the hardhat test file provided by this repo (since we are using some of the utility functions defined in that test file):
The test above passes and so
matchAdvancedOrders
(which is anexternal
function forSeaport
) does not throw an error.Recommended Mitigation Steps
Add a 3rd case for
bufferError
covering when its value is3
.