Closed code423n4 closed 2 years ago
There is no exploit to making an order with oneself. Should be QA.
A maker can fill their own order - this is desired behaviour.
e.g. there is a use case for a maker to to mint a long and short call option on chain, and then auctioning off the long/call NFT on opensea or another NFT trading platform.
Agree with sponsor that this is intended functionality.
Lines of code
https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L268
Vulnerability details
Impact
Detailed description of the impact of this finding.
fillOrder() does not check order.maker ! = caller, which means that _mint(order.maker, uint256(orderHash)); & _mint(msg.sender, positionId); can mint NFT to the same person and therefore may create unintended risks.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
Tools Used
Recommended Mitigation Steps
require(order.maker != msg.sender);