Closed code423n4 closed 2 years ago
When exercise an order, the contract transfer the ETC721 to the 0xdead
address:
transferFrom(msg.sender, address(0xdead), uint256(orderHash));
If the order is already exercised the sender don't have the token and reverts in that line
Lines of code
https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L416
Vulnerability details
Impact
During the code review, It has been noticed that the check is missing If the order is exercised already. Order can be exercised multiple times through the function.
Proof of Concept
https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L416
Tools Used
Code Review
Recommended Mitigation Steps
Consider add the following check at the beginning of the function.