matchAskWithTakerBid() function is vulnerable to reentrancy attack as it calls external functions that can be manipulated to cause the function to recall itself. Allowing the attacker to drain the contract of ether or other assets before the transaction is completed.
Slither, Echidna, Manticore, MythX, Foundry Fuzz Testing, and Mythril.
Recommended Mitigation Steps
Recommendations or solutions code in solidity to fix the bugs:
Add a require statement to check if the calling address is the same as the sender address of the transaction.
This will prevent an attacker from calling the function multiple times.
Lines of code
https://github.com/code-423n4/2022-11-paraspace/blob/c6820a279c64a299a783955749fdc977de8f0449/paraspace-core/contracts/misc/marketplaces/LooksRareAdapter.sol#L73-L94
Vulnerability details
Impact
matchAskWithTakerBid()
function is vulnerable to reentrancy attack as it calls external functions that can be manipulated to cause the function to recall itself. Allowing the attacker to drain the contract of ether or other assets before the transaction is completed.Proof of Concept
Tools Used
Slither, Echidna, Manticore, MythX, Foundry Fuzz Testing, and Mythril.
Recommended Mitigation Steps
Recommendations or solutions code in solidity to fix the bugs: Add a require statement to check if the calling address is the same as the sender address of the transaction. This will prevent an attacker from calling the function multiple times.
Solution code:
require(msg.sender == address(this));