nneverlander
commented
2 years ago Duplicate
Closed code423n4 closed 2 years ago
nneverlander
commented
2 years ago Duplicate
HardlyDifficult
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/core/InfinityExchange.sol#L1267 https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/core/InfinityExchange.sol#L725-L726 https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/core/InfinityExchange.sol#L729
Vulnerability details
NO TIMELOCK ON
setProtocolFee()CAN LEAD TO SELLERS LOSING THEIR NFTsIn
InfinityExchange.sol, there is no timelock onsetProtocolFee(). This is the fee that is applied in orders, and determines how much the Exchange receives in fee VS how much the seller receives. But:PROTOCOL_FEE_BPSis set to its new value whensetProtocolFee()is created.Users will be incited to use the exchange if the fee is low (
PROTOCOL_FEE_BPSis initially2.5%). A malicious owner could effectively wait for enough activity to happen in the exchange, then set a very high fee, which would result in all further orders going through the exchange transferring the sales revenue from the buyers to the Exchange, resulting in the sellers effectively losing their NFTs.Impact
Medium
Proof Of Concept
The malicious owner calls
setProtocolFee(10000), settingPROTOCOL_FEE_BPSas 100%.matchOneToOneOrders()for a specific NFT criteria._execMatchOneToOneOrders(),protocolFee = (protocolFeeBps * execPrice) / 10000 = execPriceremainingAmount = execPrice - protocolFee = 0execPriceto the exchange. The seller has effectively lost their NFT.Tools Used
Manual Analysis
Recommended Mitigation Steps
Two things can be done:
setProtocolFee()setProtocolFee().