Closed code423n4 closed 1 year ago
stevennevins marked the issue as sponsor disputed
Users won't be deploying their own sale factories, just their own sale contracts. Escher will have controller over the feeReceiver on the factory that is enforced on the sale contracts. So there is no ruggability of end users here.
Downgrading to QA (Low) as it is a centralization risk.
berndartmueller changed the severity to QA (Quality Assurance)
berndartmueller marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2022-12-escher/blob/main/src/minters/LPDAFactory.sol#L46-L48 https://github.com/code-423n4/2022-12-escher/blob/main/src/minters/FixedPriceFactory.sol#L42-L44 https://github.com/code-423n4/2022-12-escher/blob/main/src/minters/OpenEditionFactory.sol#L42-L44
Vulnerability details
Impact
In every sale factory contracts (LPDAFactory, FixedPriceFactory, and OpenEditionFactory), the owner of the factory contract has the power to change the
feeReceiver
at any time. This means that before that a sale has finalized (for FixedPrice and OpenEdition sales), the owner could frontrun the lastbuy()
or do it before calling thecancel()
function by itself in the case of theFixedPrice
sale, or front-run/call by itself thefinalize()
after changing thefeeReceiver
. This issue is less likely to be very impactful for theLPDA
sale, as the fees are linearized over time for each sale, but the very first sale in the case of a Dutch auction would be the higest price one. So a malicious factory owner would probably rather want to frontrun the first sale.Proof of Concept
Usually, a
feeReceiver
is the collection artist. Multiple attack vectors have been stated before, but let's take theOpenEdition
contract to illustrate, and for simplicity. We will denote Bob as the (malicious) sale factory owner, and Alice as the artist, andfeeReceiver
.OpenEditionFactory
contractfeeReceiver
with setFeeReceiver as agreed between themfinalize()
functionfeeReceiver
Tools Used
Manual inspection
Recommended Mitigation Steps
Set the
feeReceiver
as a "sale" parameter upon the sale deployment, similarly to thesaleReceiver
for the best transparency for both parties.https://github.com/code-423n4/2022-12-escher/blob/main/src/minters/OpenEdition.sol#L13-L23