Closed code423n4 closed 2 years ago
The hardhat test included here makes it easy to understand and confirm this issue. Thank you! Because of that detail I'm inclined to make this report the primary.
This is a High risk issue. Effectively the system supports 2 relevant criteria on orders here - which tokens and how many, but the latter is not checked in this flow. This allows a buyer to purchase more NFTs from the seller than they intended to sell.
Lines of code
https://github.com/code-423n4/2022-06-infinity/blob/main/contracts/core/InfinityExchange.sol#L178
Vulnerability details
Impact
An order can specify a
numItems
inMakerOrder.constraints[0]
. This number is the min/max number of items the order wants to buy/sell. For example a buy order can provide a list of nfts and say that wants to buy only 3 of them from that list. The functionmatchOneToManyOrders
has an issue where it doesn't check thenumItems
of the "many" orders. This leads to orders selling more items than specified by the owner.Proof of Concept
As an example, let's consider two orders: 1) (Order1) buy 3 items from [Punk1, Punk2, Punk3] 2) (Order2) sell 1 item from [Punk1, Punk2, Punk3]
We can call
matchOneToManyOrders(makerOrder, manyMakerOrders)
withmakerOrder = Order1
andmanyMakerOrders = [Order2]
. The result is that all 3 items get transferred, contrary to the will of Order2's signer.I've proved this example in a hardhat test, link to gist.
Recommended Mitigation Steps
Check somewhere that
manyMakerOrders[i].constraints[0]
is valid during the execution ofmatchOneToManyOrders
.