Closed code423n4 closed 2 years ago
uint256 gasCost = (startGas - gasleft() + WETH_TRANSFER_GAS_UNITS) * tx.gasprice;
As far as I see, this will only transfer from Alice the actual gas cost of the transaction. Not an arbitrary amount. So the issue seems invalid.
Duplicate
Lines of code
https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/core/InfinityExchange.sol#L123-L294
Vulnerability details
Impact
The protocol can steal
WETH
founds with the refunds gas cost mechanism in the functionsmatchOneToOneOrders
,matchOneToManyOrders
andmatchOrders
This functions can call only by theMATCH_EXECUTOR
but we don't know what is this contract/address according the sponsor in discord this code is not publicProof of Concept
1) Alice approve WETH to use the exchange, generally this approve it's for max amount to save gas for the future approbes 2) Alice maker an order to sell/buy 3) When the
MATCH_EXECUTOR
sendmatchOneToManyOrders
, with the Alice signature, it send the transaction with a high amount of gas 4) In the L231 thegasCost
will be high 5) In the L237 or L240 the protocol take thegasCost
from Alice to the exchange 6) The remaining gas of the transaction will return to the sender of the transactionRecommended Mitigation Steps
The best approach its remove the refunds gas cost mechanism, and use other mechanism for charge fees in a easy way, like a fixed amount of X token Other option it's add another mechanism that gives to the signer of the order the max amount of fee in WETH who is willing to pay In
OrderTypes
library:In
InfinityExchange.sol
add this lines: