Reentrancy attacks : if the functions in the interfaces are called in a malicious contract that calls back into the calling contract before the first call completes.

[code423n4]

Lines of code

https://github.com/ProjectOpenSea/seaport/blob/5de7302bc773d9821ba4759e47fc981680911ea0/contracts/interfaces/AbridgedTokenInterfaces.sol#L11

Vulnerability details

Impact

Reentrancy attacks could be possible if the functions in the interfaces are called in a malicious contract that calls back into the calling contract before the first call completes.

Proof of Concept

A malicious contract is created that calls the "transferFrom" function in the ERC20Interface, but before the function call completes, the malicious contract calls back into the calling contract to transfer more tokens. This can be repeated multiple times, allowing the attacker to drain the target contract of all its tokens.

Tools Used

None

Recommended Mitigation Steps

[0age]

contested; seaport has reentrancy locks on all state-changing functions and we explicitly called out cross-contract reentrancy as out of scope

[c4-judge]

HickupHH3 marked the issue as unsatisfactory: Out of scope

[HickupHH3]

Insufficient proof.