Open code423n4 opened 2 years ago
Please check this: https://github.com/infinitydotxyz/exchange-contracts-v2/commit/7f0e195d52165853281b971b8610b27140da6e41
No more ERC1155 either.
The loop that transfers NFTs already checks for non empty array
Not sure of the assessment.
This is a great report, appreciate the detail and the PoC code.
Given that the call must originate from the match executor, it seems unlikely that it would match with an empty sell order. Additionally it should be easy to filter these when submitted off-chain. With that in mind, lowering this to a Medium risk issue.
Lines of code
https://github.com/code-423n4/2022-06-infinity/blob/765376fa238bbccd8b1e2e12897c91098c7e5ac6/contracts/core/InfinityExchange.sol#L178
Vulnerability details
Impact
The
MatchOneToManyOrders
does not check whether a given sell order is malicious, i.e., containing no NFT tokens but still requiring payment.This may cause the sellers to maliciously profit.
For example, we have a
buyOrder
and a set of sell orders[sellOrder0, sellOrder1, sellOrder2]
. Originally, they match well but with a legal price gas (which is common in the real world), i.e.,MatchOneToManyOrders(buyOrder, [sellOrder0, sellOrder1, sellOrder2])
can be successfully processed.However, If the hacker proposes another
sellOrder3
which sells nothing but requests money/tokens. TheMatchOneToManyOrders(buyOrder, [sellOrder0, sellOrder1, sellOrder2, sellOrder3])
will also succeed and the hacker does not need to send out any NFT token but grabs a considerable gain.Attack Scenario
There are two possible attack scenarios.
The
MATCH_EXECUTOR
is not in a good faithMATCH_EXECUTOR
can always gain profit by leveraging this vulnerability. That is, every time the executor proposes aMatchOneToManyOrders
, it can add one more EMPTY order to gain the profit.It is one kind of centralization issue. All the processes should happen in a trust-less environment.
Hackers can brute force the price gaps by sending out a large amount of EMPTY sell orders
Note that creating an order happens off-chain. That means, the hacker can send out a large amount of EMPTY orders without paying any gas fee.
Once the executor picks any of the malicious orders, the hacker can gain the profit without a loss of NFT tokens.
This vulnerability also affects
matchOrders
.Proof of Concept
Put the following
poc3.js
undertest/
directory.and run
npx hardhat test --grep PoC_matchOneToManyOrders
Tools Used
Manual Inspection
Recommended Mitigation Steps
The mitigate the issue entirely, I would suggest to ban any empty NFT transfers.
For example,
numNfts
must be bigger than zero here. Also make sure the ERC1155 transferring at least 1 item.