search

code-423n4 / 2022-06-putty-findings

5 stars 0 forks source link

Missing check If the order is already exercised #362

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L416

Vulnerability details

Impact

During the code review, It has been noticed that the check is missing If the order is exercised already. Order can be exercised multiple times through the function.

Proof of Concept

https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L416

Tools Used

Code Review

Recommended Mitigation Steps

Consider add the following check at the beginning of the function.

require(!exercisedPositions[uint256(orderHash)], "already exercised");
rotcivegaf commented 2 years ago

When exercise an order, the contract transfer the ETC721 to the 0xdead address: transferFrom(msg.sender, address(0xdead), uint256(orderHash)); If the order is already exercised the sender don't have the token and reverts in that line