Later, marketplace adapters are called via delegatecall in MarketPlaceLogic's _buyWithCredit:
// delegateCall to avoid extra token transfer
Address.functionDelegateCall(
params.marketplace.adapter,
abi.encodeWithSelector(
IMarketplace.matchAskWithTakerBid.selector,
params.marketplace.marketplace,
params.payload,
priceEth
)
);
The combination of these two functions allow owner to immediate execute any code in the context of the pool. They will set a new marketplace, with malicious contract as adapter, and execute their malicious code in matchAskWithTakerBid.
Conceretely, they may rug all NTokens using these functions:
These functions, guarded by onlyPool, will allow compromised owner to transfer underlying NFTs or mint NTokens for their own gain, making massive profits.
Impact
Owner has complete control of NTokens using unsafe marketplace delegatecall
Proof of Concept
Tools Used
Manual audit
Recommended Mitigation Steps
Consider adding timelocks on insertion of new marketplaces, or to not use delegatecall to enter marketplace adapter contracts.
Lines of code
https://github.com/code-423n4/2022-11-paraspace/blob/c6820a279c64a299a783955749fdc977de8f0449/paraspace-core/contracts/protocol/libraries/logic/MarketplaceLogic.sol#L132
Vulnerability details
Description
Owner can set new marketplace adapters using setMarketplace:
Later, marketplace adapters are called via delegatecall in MarketPlaceLogic's _buyWithCredit:
The combination of these two functions allow owner to immediate execute any code in the context of the pool. They will set a new marketplace, with malicious contract as adapter, and execute their malicious code in
matchAskWithTakerBid
.Conceretely, they may rug all NTokens using these functions:
These functions, guarded by onlyPool, will allow compromised owner to transfer underlying NFTs or mint NTokens for their own gain, making massive profits.
Impact
Owner has complete control of NTokens using unsafe marketplace delegatecall
Proof of Concept
Tools Used
Manual audit
Recommended Mitigation Steps
Consider adding timelocks on insertion of new marketplaces, or to not use delegatecall to enter marketplace adapter contracts.