Closed code423n4 closed 1 year ago
0age
commented
1 year ago contested; this is a very common pattern used across all marketplaces, otherwise the fulfiller would have to sign an order, then submit a transaction whenever matching against another order
0age
commented
1 year ago also, "calling the function from the offerer's address" implies that the offerer's address is compromised in which case the offerer is already toast
HickupHH3
commented
1 year ago dup #29
c4-judge
commented
1 year ago HickupHH3 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/ProjectOpenSea/seaport/blob/5de7302bc773d9821ba4759e47fc981680911ea0/contracts/lib/Verifiers.sol#L71
Vulnerability details
Impact
it could have a significant impact on the security of the smart contract. The function is intended to verify the signature of an order, but if the offerer is the caller, the function skips the signature verification. This could allow someone other than the offerer to approve an order if they are able to call the function from the offerer's address. (For example, An attacker could approve an order they should not be able to approve, potentially allowing them to buy or sell assets at an unfair price).
Proof of Concept
1.Deploy the Verifiers contract to a test blockchain. 2.Create an order with a specific offerer address. 3.Using the address of the offerer, call the _verifySignature function with a signature that is not generated by the offerer. By doing above steps, observe that the function accepts the signature and the order is approved.
Tools Used
Recommended Mitigation Steps
One solution would be to remove the check that skips the signature verification if the offerer is the caller. This would ensure that the signature is always verified, regardless of who is calling the function. OR By adding an additional check to ensure that the caller is the offerer before allowing the function to skip the signature verification, which would prevent attackers from being able to call the function from the offerer's address to bypass the signature verification.