Closed code423n4 closed 1 year ago
contested; clearly enforced by the function
// Mark as valid if order has started and has not already ended.
assembly {
valid := and(
iszero(gt(startTime, timestamp())),
gt(endTime, timestamp())
)
}
dup #28
HickupHH3 marked the issue as unsatisfactory: Insufficient quality
Lines of code
https://github.com/ProjectOpenSea/seaport/blob/5de7302bc773d9821ba4759e47fc981680911ea0/contracts/lib/Verifiers.sol#L39
Vulnerability details
Impact
A possible scenario where the _verifyTime function could cause unexpected behavior is if the input parameters startTime and endTime are not correctly set by the user or another contract. If startTime is greater than endTime, the function would return valid as true, even though the order should not be active.
Proof of Concept
For example, suppose an order is created with a startTime of January 1st, 2025 and an endTime of January 1st, 2020. The _verifyTime function would return valid as true, even though the order is not active. This could lead to order being executed even though it shouldnt.
Tools Used
Recommended Mitigation Steps
To fix this issue, the code should include a check to ensure that startTime is less than endTime and if not, return valid as false.